wannacry

General

Target

NO-ESCAPE-main.zip
Size

732KB
Sample

240711-w9z6ms1gmc
MD5

9172731ba3f16b578bcb14000ccbccd4
SHA1

e7ab716661ed88ecf060dc5d53720877b141eac9
SHA256

ce0a32e35b7c79e7e2ffe7bd3c7566a6fb843341268ad50f4a594e56e17a5110
SHA512

3a35995b6dadf408ca69699220120bba5f70fb3c2a850165ab11dad03821c8ce316bf7e9662f8976e0bf659cdb9adf0c8d0d7beca22b59480e4830dc5e02666c
SSDEEP

12288:RhHGV4kchbcLL5pKYy89+cKOHQ05rwEc21etvfURHmsHKaMekSij9EgnSrojr:RhH3llcLL5vV9+vOHJUEchweReC9vnSq

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  NO-ESCAPE-main/No Escape.exe
- Size
  
  771KB
- MD5
  
  2782877418b44509fd306fd9afe43e39
- SHA1
  
  b0c18bdf782ca9c4fa41074f05458ce8e0f3961b
- SHA256
  
  56d612e014504c96bb92429c31eb93f40938015d422b35765912ac4e6bd3755b
- SHA512
  
  8826881b3ab406ee4c1fabd4848161f8524aeaeb7c4397384d36840f947ef95c8560850b2409fbf761ff225cdc8ac6eb875b705476fe9574b23c7a5478505a86
- SSDEEP
  
  24576:OeTrmlZGPL7NV9+VitFsQUxY8BGOdQSqZ:hT6KDrmIFsBJBG4XqZ
Score

10^/10

wannacry defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer worm
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies RDP port number used by Windows
- Modifies Windows Firewall
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2