General

  • Target

    FreeFortniteVbucks.exe

  • Size

    12.9MB

  • Sample

    240726-n5yg9awdqm

  • MD5

    f4dfe31dcd4e1ea36da485bb03856417

  • SHA1

    9d9a50d5a1c4be2caf59f792dd8ac8184ff13b74

  • SHA256

    be3eeda22c1620f47195d1e1002753b9a15ed3a044e8db38949fd236bcc08831

  • SHA512

    993d1688a2b308fcd8075e439e12513823920d57cef92269189b255cf7229691038d441452715a0a1457611394021bfc407577905f381192b01a44ea6c4ac963

  • SSDEEP

    393216:NKiCa/gqmVWNIoc3IrDE0EyoZedrQDgF:N7Ca/gNkTRE0vo0JD

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

    • Target

      FreeFortniteVbucks.exe

    • Size

      12.9MB

    • MD5

      f4dfe31dcd4e1ea36da485bb03856417

    • SHA1

      9d9a50d5a1c4be2caf59f792dd8ac8184ff13b74

    • SHA256

      be3eeda22c1620f47195d1e1002753b9a15ed3a044e8db38949fd236bcc08831

    • SHA512

      993d1688a2b308fcd8075e439e12513823920d57cef92269189b255cf7229691038d441452715a0a1457611394021bfc407577905f381192b01a44ea6c4ac963

    • SSDEEP

      393216:NKiCa/gqmVWNIoc3IrDE0EyoZedrQDgF:N7Ca/gNkTRE0vo0JD

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v15

Tasks