General

  • Target

    MyCode.exe

  • Size

    39KB

  • Sample

    240706-r5bv2atenc

  • MD5

    70289b7819fa6c4843f3dbf868f89f48

  • SHA1

    2f7a6cd6e8ad0ca190acaf7ccf613183044a0587

  • SHA256

    ebfcca4ca03a8a89a73501632e23383d274a8cea686bed4359153d863652dd2e

  • SHA512

    cea9a878a1e109e80d2e2493d5bd2ac062a89987b67305b4dd3dff2b06f57c6b2a4f80d8be965276e85101a1d36df071c5e9add4940e18a2ae3d454b245210e4

  • SSDEEP

    768:BPv2tlOzFKuGCuuJ/5c/lpfFWPJ92yF6dOMhHjhC:BGroIrCuuJefFe92W6dOMFA

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:24920

6.tcp.eu.ngrok.io:24920

4.tcp.eu.ngrok.io:24920

5.tcp.eu.ngrok.io:24920

0.tcp.eu.ngrok.io:24920

20.ip.gl.ply.gg:24920

Mutex

qp0SiG21yxPKVpTy

Attributes
  • Install_directory

    %AppData%

  • install_file

    Upgrade.exe

aes.plain

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      MyCode.exe

    • Size

      39KB

    • MD5

      70289b7819fa6c4843f3dbf868f89f48

    • SHA1

      2f7a6cd6e8ad0ca190acaf7ccf613183044a0587

    • SHA256

      ebfcca4ca03a8a89a73501632e23383d274a8cea686bed4359153d863652dd2e

    • SHA512

      cea9a878a1e109e80d2e2493d5bd2ac062a89987b67305b4dd3dff2b06f57c6b2a4f80d8be965276e85101a1d36df071c5e9add4940e18a2ae3d454b245210e4

    • SSDEEP

      768:BPv2tlOzFKuGCuuJ/5c/lpfFWPJ92yF6dOMhHjhC:BGroIrCuuJefFe92W6dOMFA

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • CryptoLocker

      Ransomware family with multiple variants.

    • Detect Xworm Payload

    • Modifies Windows Defender Real-time Protection settings

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks