General
-
Target
download.jfif
-
Size
6KB
-
Sample
240425-ysff1sea6w
-
MD5
fa39cb8e00137d0e2b21293a4b16e4ea
-
SHA1
7a9c82d998af90d04717ee9150f383b677cf3c22
-
SHA256
bc662f21995d6982cf7655a1c23774b131a87c903d5efcdcea07978d1ad86061
-
SHA512
c35e293873253403df0566f2c6bccfb488190b844e993c73a70ae914a65eb21086a51520bdaf37cb13370864605291e6ed93b97763b997535a00a0596aaa9b65
-
SSDEEP
192:kfqKJSYkSuqaFNg/N3sJOBZPYyH1CpLHMO:GdVca/1nZr1CpL
Static task
static1
Behavioral task
behavioral1
Sample
download.jpg
Resource
win10v2004-20240412-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@Please_Read_Me@.txt
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
download.jfif
-
Size
6KB
-
MD5
fa39cb8e00137d0e2b21293a4b16e4ea
-
SHA1
7a9c82d998af90d04717ee9150f383b677cf3c22
-
SHA256
bc662f21995d6982cf7655a1c23774b131a87c903d5efcdcea07978d1ad86061
-
SHA512
c35e293873253403df0566f2c6bccfb488190b844e993c73a70ae914a65eb21086a51520bdaf37cb13370864605291e6ed93b97763b997535a00a0596aaa9b65
-
SSDEEP
192:kfqKJSYkSuqaFNg/N3sJOBZPYyH1CpLHMO:GdVca/1nZr1CpL
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
1File Deletion
1File and Directory Permissions Modification
1Modify Registry
4Pre-OS Boot
1Bootkit
1Hide Artifacts
1Hidden Files and Directories
1