Overview

overview

10

Static

static

3

dl2.exe

windows7-x64

1

dl2.exe

windows10-2004-x64

10

Resubmissions

02-10-2024 11:53

241002-n2j6fsycqb 3

13-09-2024 04:59

240913-fmwxpswcpb 3

11-09-2024 15:54

240911-tcmg6sygmm 3

11-09-2024 15:53

240911-tbsmsszbnh 10

25-08-2024 22:53

240825-2t6als1gll 10

24-08-2024 21:25

240824-z93hjsscrp 9

24-08-2024 21:20

240824-z65thazfpa 10

21-08-2024 23:05

240821-23av3azamj 10

21-08-2024 16:22

240821-tvn4qayekh 3

21-08-2024 16:20

240821-ttkd5sydng 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    230823-139hyshd3w_pw_infected.zip

  • Size

    472KB

  • Sample

    240812-ypxacs1hld

  • MD5

    e3af7d1463d266e02cd03ea7a3add2e4

  • SHA1

    6456c0de00c86db5e7d061fbf7e19792d3dbbc4a

  • SHA256

    8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

  • SHA512

    855e4ba5316a800113f6f410d37ba7e981c0f72bb23664c26e464777f2a0a96d8f651e77189af89e70be9d032a3a1b7b40b005bd60b9f6dc792c7588b3a8d9bb

  • SSDEEP

    12288:ABgmK1z0D2TuzS4cu2LH6WhBO8RiKrDmlPPoSdERZIhp4TWo3:2BKqSt4AH6Whc2fqPoSdEDRWo3

Score
10/10
bazarbackdoorwannacrybackdoordefense_evasiondiscoveryexecutionimpactpersistenceransomwareworm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

    • Target

      dl2.exe

    • Size

      849KB

    • MD5

      c2055b7fbaa041d9f68b9d5df9b45edd

    • SHA1

      e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06

    • SHA256

      342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3

    • SHA512

      18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc

    • SSDEEP

      12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

    Score
    10/10
    bazarbackdoorwannacrybackdoordefense_evasiondiscoveryexecutionimpactpersistenceransomwareworm

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

      backdoorbazarbackdoor

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Drops startup file

    • Executes dropped EXE

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Adds Run key to start application

      persistence

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks