General
-
Target
avast_free_antivirus_setup_online.exe
-
Size
257KB
-
Sample
240718-wxwbxstdqf
-
MD5
5dd99460687fa202f26bef9565b2eb71
-
SHA1
d90930758b01570db7403b1e1130c99d5dfbac91
-
SHA256
1fb53cd33d285e2807dca6ee3005689f1425b363c46b377958a7431a46488207
-
SHA512
ef59d47099f738eedd457a7bbe4779af5e956f7afe073bc98f9d3b10ae57891a225402ad7494c055d656d111e59991fd54ccb00174d3b860e685cb6c49317f82
-
SSDEEP
3072:482RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCozOhhSn+K:480KgGwHqwOOELha+sm2D2+Uhngu7p
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Targets
-
-
Target
avast_free_antivirus_setup_online.exe
-
Size
257KB
-
MD5
5dd99460687fa202f26bef9565b2eb71
-
SHA1
d90930758b01570db7403b1e1130c99d5dfbac91
-
SHA256
1fb53cd33d285e2807dca6ee3005689f1425b363c46b377958a7431a46488207
-
SHA512
ef59d47099f738eedd457a7bbe4779af5e956f7afe073bc98f9d3b10ae57891a225402ad7494c055d656d111e59991fd54ccb00174d3b860e685cb6c49317f82
-
SSDEEP
3072:482RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCozOhhSn+K:480KgGwHqwOOELha+sm2D2+Uhngu7p
Score10/10-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Drops file in Drivers directory
-
Sets service image path in registry
-
Drops startup file
-
Impair Defenses: Safe Mode Boot
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks for any installed AV software in registry
-
Checks whether UAC is enabled
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Indicator Removal
1File Deletion
1Modify Registry
7Pre-OS Boot
1Bootkit
1