Overview

overview

10

Static

static

1

Bez tytułu.png

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bez tytułu.png

  • Size

    210B

  • Sample

    240425-n37m5sad3x

  • MD5

    96406703da080780229fa319f2448994

  • SHA1

    787b6fe4be3e95e0592f9deddaccdb2a5eb4ce41

  • SHA256

    9ae0449c3a39d09fd963fce70aae5bc6f5ff2f08bfa902d306b40f33bdaa3cef

  • SHA512

    c136373ed8c0683dc69e6b56c6bf7a2166b86621ac74de0bdca59bfaa0f1c65d7e3b451be3c981f37dcd130ce053d14137fe059d0a22b2834580ab6493b1e325

Score
10/10
wannacrybootkitdiscoverypersistenceransomwareworm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      Bez tytułu.png

    • Size

      210B

    • MD5

      96406703da080780229fa319f2448994

    • SHA1

      787b6fe4be3e95e0592f9deddaccdb2a5eb4ce41

    • SHA256

      9ae0449c3a39d09fd963fce70aae5bc6f5ff2f08bfa902d306b40f33bdaa3cef

    • SHA512

      c136373ed8c0683dc69e6b56c6bf7a2166b86621ac74de0bdca59bfaa0f1c65d7e3b451be3c981f37dcd130ce053d14137fe059d0a22b2834580ab6493b1e325

    Score
    10/10
    wannacrybootkitdiscoverypersistenceransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Downloads MZ/PE file

    • Sets file execution options in registry

      persistence

    • Drops startup file

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

File and Directory Permissions Modification

1
T1222

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Query Registry

5
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks