5d0aca12e18047ebf796d6f50a96b4b6d335ffe1df936b2f4ab2c9ba409737a7 | Triage

Submit
Reports

Overview

overview

Static

static

3

WinCry.exe

windows7-x64

WinCry.exe

windows10-2004-x64

7

Sharing

General

Target

WinCry.exe
Size

25.0MB
Sample

240802-axh6psvekn
MD5

2f3f0fbdb7edd5bb5dd55f2a659163d6
SHA1

b81b8f1a9425639335a8f540a6dd107523fe1fe7
SHA256

5d0aca12e18047ebf796d6f50a96b4b6d335ffe1df936b2f4ab2c9ba409737a7
SHA512

61f6a252a4b3d55cab534727a6a6efa0e7620b7bcde1990968870dca74b991e9a8bda3a1177e95a9fff1498d24bd93c1f4b50409d9bec96aad441647ccd3e325
SSDEEP

393216:oomWVe3DAnGKZKuNK0SvAn9kaK6gaaNRZbC:ooLW0UoWB6g5NRZbC

Score

10^/10

defense_evasion discovery evasion persistence ransomware trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

WinCry.exe

Resource

win7-20240705-en

defense_evasion discovery evasion persistence ransomware trojan

windows7-x64

27 signatures

150 seconds

Behavioral task

behavioral2

Sample

WinCry.exe

Resource

win10v2004-20240730-en

windows10-2004-x64

6 signatures

150 seconds

Malware Config

Targets

- Target
  
  WinCry.exe
- Size
  
  25.0MB
- MD5
  
  2f3f0fbdb7edd5bb5dd55f2a659163d6
- SHA1
  
  b81b8f1a9425639335a8f540a6dd107523fe1fe7
- SHA256
  
  5d0aca12e18047ebf796d6f50a96b4b6d335ffe1df936b2f4ab2c9ba409737a7
- SHA512
  
  61f6a252a4b3d55cab534727a6a6efa0e7620b7bcde1990968870dca74b991e9a8bda3a1177e95a9fff1498d24bd93c1f4b50409d9bec96aad441647ccd3e325
- SSDEEP
  
  393216:oomWVe3DAnGKZKuNK0SvAn9kaK6gaaNRZbC:ooLW0UoWB6g5NRZbC
Score

10^/10

defense_evasion discovery evasion persistence ransomware trojan
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Power Settings

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

defense_evasiondiscoveryevasionpersistenceransomwaretrojan

behavioral2

© 2018-2024

Terms | Privacy