Resubmissions
22-05-2024 18:16
240522-wweyjsbe8v 1022-05-2024 18:15
240522-wwchesbe7y 1022-05-2024 18:11
240522-wslxpabd6s 1022-05-2024 18:10
240522-wsfqnsbe44 1022-05-2024 18:10
240522-wsdajsbe39 1022-05-2024 18:10
240522-wr9mcsbd5w 1022-05-2024 18:10
240522-wr668sbe32 1022-05-2024 18:10
240522-wr35ksbe27 1022-05-2024 18:08
240522-wq26wsbd64 1022-05-2024 18:08
240522-wqx7yabd57 10General
-
Target
Server.exe
-
Size
43KB
-
Sample
240522-wr668sbe32
-
MD5
49ad4c0475749e6dd6001f5a038ab6a8
-
SHA1
4e31ba96d944bb61c65e459153f5762ebde54338
-
SHA256
a024d7bd35a2ecef3773792aa82d46522e6ee0d170e8b5a84acae765ddc058b2
-
SHA512
4304e871c505b2a0bf6a12292ac50e7c6665c6b73138f6501f3c091a5bc2d41c6237c6a019a03530d451bb7b35241c89ac71478c283af2ee57e488fb55bca087
-
SSDEEP
384:tbZyjJ61STss7yKS9po7QAMExZZS23zsIij+ZsNO3PlpJKkkjh/TzF7pWnXmgreT:/0Qk4smKS3OR9Z0OuXQ/o6C+L
Behavioral task
behavioral1
Sample
Server.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Server.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Server.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Server.exe
Resource
win11-20240508-en
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
HacKed
19.ip.gl.ply.gg:60143
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
C:\Users\Admin\Documents\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Targets
-
-
Target
Server.exe
-
Size
43KB
-
MD5
49ad4c0475749e6dd6001f5a038ab6a8
-
SHA1
4e31ba96d944bb61c65e459153f5762ebde54338
-
SHA256
a024d7bd35a2ecef3773792aa82d46522e6ee0d170e8b5a84acae765ddc058b2
-
SHA512
4304e871c505b2a0bf6a12292ac50e7c6665c6b73138f6501f3c091a5bc2d41c6237c6a019a03530d451bb7b35241c89ac71478c283af2ee57e488fb55bca087
-
SSDEEP
384:tbZyjJ61STss7yKS9po7QAMExZZS23zsIij+ZsNO3PlpJKkkjh/TzF7pWnXmgreT:/0Qk4smKS3OR9Z0OuXQ/o6C+L
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
2File Deletion
2Modify Registry
3Scripting
1