General

  • Target

    Dual_Keres_Prime

  • Size

    780KB

  • Sample

    240705-yaa4kstfrp

  • MD5

    bce9179b0a24eae8fddb8ff9d6a0e210

  • SHA1

    74b17a58bc1847c42ada876191f7435fe4317ff9

  • SHA256

    08920d5fa03dd4c0d63aaa30be026c00d8b5f56c7ebb2852f2c5f021f06ec8f1

  • SHA512

    57d8da2c4fc1d09b6a483f66da8cfb52d5c782b0658018a55ba8e001c5256bd0d4f144b705ce13fa3adcc5116b2a207fd4c03a21a0df75eb1010d514b6e9eb0a

  • SSDEEP

    3072:9+78i5tlGXgRf25KirmhEZlhneOjcF8rdg78kgHH4J:g78iUKiyhEZlhnK8pWhgHG

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

    • Target

      Dual_Keres_Prime

    • Size

      780KB

    • MD5

      bce9179b0a24eae8fddb8ff9d6a0e210

    • SHA1

      74b17a58bc1847c42ada876191f7435fe4317ff9

    • SHA256

      08920d5fa03dd4c0d63aaa30be026c00d8b5f56c7ebb2852f2c5f021f06ec8f1

    • SHA512

      57d8da2c4fc1d09b6a483f66da8cfb52d5c782b0658018a55ba8e001c5256bd0d4f144b705ce13fa3adcc5116b2a207fd4c03a21a0df75eb1010d514b6e9eb0a

    • SSDEEP

      3072:9+78i5tlGXgRf25KirmhEZlhneOjcF8rdg78kgHH4J:g78iUKiyhEZlhnK8pWhgHG

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • Modifies WinLogon for persistence

    • UAC bypass

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Contacts a large (1273) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v13

Execution

Windows Management Instrumentation

1
T1047

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

5
T1112

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

1
T1562.001

Disable or Modify System Firewall

1
T1562.004

Safe Mode Boot

1
T1562.009

Indicator Removal

2
T1070

File Deletion

2
T1070.004

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Direct Volume Access

1
T1006

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Service Discovery

1
T1046

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Defacement

1
T1491

Tasks