Overview

overview

10

Static

static

10

2024-04-28...ry.exe

windows7-x64

9

2024-04-28...ry.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry

  • Size

    987KB

  • Sample

    240428-eedkqafg8y

  • MD5

    7f3607674f31dd96e4d6a009cb4dfb7e

  • SHA1

    5ebce6ec9924dc24e73a1faef6934128ea46c28c

  • SHA256

    ab1ead6628df92a6cf9e0aee75bdf3ad9e7bf7e9067baf2a5a83adbf4cfd5d02

  • SHA512

    68e0aff21d3ee5d24794c1d46f5a13fdc6af63f299ff175f74f89443b7edbcf09f7a96fdd43d64ed44e8336f37bfdc1c1806a2103846bbb2e14593fc0a125c06

  • SSDEEP

    12288:ut3UkyTa5ziXxqf8FLpqf77yAJKrMCLSoJjvN+MyjLvBG1YJX8ORnu:TkbsLpqDuA7E3cRnu

Score
10/10
evasionransomwarespywarestealer

Malware Config

Targets

    • Target

      2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry

    • Size

      987KB

    • MD5

      7f3607674f31dd96e4d6a009cb4dfb7e

    • SHA1

      5ebce6ec9924dc24e73a1faef6934128ea46c28c

    • SHA256

      ab1ead6628df92a6cf9e0aee75bdf3ad9e7bf7e9067baf2a5a83adbf4cfd5d02

    • SHA512

      68e0aff21d3ee5d24794c1d46f5a13fdc6af63f299ff175f74f89443b7edbcf09f7a96fdd43d64ed44e8336f37bfdc1c1806a2103846bbb2e14593fc0a125c06

    • SSDEEP

      12288:ut3UkyTa5ziXxqf8FLpqf77yAJKrMCLSoJjvN+MyjLvBG1YJX8ORnu:TkbsLpqDuA7E3cRnu

    Score
    9/10
    evasionransomwarespywarestealer

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

    • Detects command variations typically used by ransomware

    • Detects executables containing many references to VEEAM. Observed in ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes System State backups

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Indicator Removal

3
T1070

File Deletion

3
T1070.004

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Resource Development

Reconnaissance

Tasks