wannacry

Resubmissions

11-07-2024 18:33

240711-w7glhsyfjn 7

11-07-2024 18:33

240711-w665sa1fme 7

11-07-2024 18:09

240711-wrsnvazhng 10

11-07-2024 14:38

240711-rzygvatajf 10

Sharing

Copy URL

Twitter E-mail

General

Target

hentai_and_nudes.exe
Size

8.4MB
Sample

240711-wrsnvazhng
MD5

e3ffdd51eee6c10338d01f5101deaa15
SHA1

3146e8075fe05e6747890b5a70a725d4481801ce
SHA256

5f04be7f8b2d882931ab4d8ae975c74c9a02f30dbf5b3d728d32d23bb257fd7b
SHA512

6d98ec5d4a2574547f4fe871369c5e0e32f463c6342f14b8ece001883ba76610daecd6316b691787a11c7506549b4216d8cb7816035771a3add6d8ee9c06d5ab
SSDEEP

196608:uINGefFRHvUWvogWOxu9kXwvdbD64uLnH0W8/LaSzy8s+5BZN/:BGCFRHd3bAlbiUW83zLZN

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://text.is/QW7R/raw

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  hentai_and_nudes.exe
- Size
  
  8.4MB
- MD5
  
  e3ffdd51eee6c10338d01f5101deaa15
- SHA1
  
  3146e8075fe05e6747890b5a70a725d4481801ce
- SHA256
  
  5f04be7f8b2d882931ab4d8ae975c74c9a02f30dbf5b3d728d32d23bb257fd7b
- SHA512
  
  6d98ec5d4a2574547f4fe871369c5e0e32f463c6342f14b8ece001883ba76610daecd6316b691787a11c7506549b4216d8cb7816035771a3add6d8ee9c06d5ab
- SSDEEP
  
  196608:uINGefFRHvUWvogWOxu9kXwvdbD64uLnH0W8/LaSzy8s+5BZN/:BGCFRHd3bAlbiUW83zLZN
Score

10^/10

upx wannacry bootkit defense_evasion discovery evasion execution impact persistence privilege_escalation pyinstaller ransomware spyware stealer trojan worm
- Modifies WinLogon for persistence
  persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- UAC bypass
  evasion trojan
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Blocklisted process makes network request
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Command and Scripting Interpreter: PowerShell
  Powershell Invoke Web Request.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Modifies RDP port number used by Windows
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2
- Target
  
  ttinsta.pyc
- Size
  
  1KB
- MD5
  
  3f0f4450419e5f4e46467f551cf503d0
- SHA1
  
  f3b6b0df743a939c6d57bca03d1c9ad9889b84b0
- SHA256
  
  c63bfaccb23c08a8960f666e665954184eb9a9126442ecfb1d4a5209ca458222
- SHA512
  
  06cba8d3605e64a570dfa680dc0f6c9efa7bf5a50c7c11a3b45d6feb23a06db463deeef30e7f54a184c38bb582d5affc0f3f8e13d38f4e80bc10217197bfb816
Score

3^/10

execution
behavioral3 behavioral4