wannacry | 7089a8179efa6c83ec6cac9f54648e85fb903e56a966c3a5874c5a95a81c3638 | Triage

Sharing

General

Target

stealer tools.zip
Size

66.9MB
Sample

240815-v5cn4syepr
MD5

9e013a9f14a38757258d7ad4fe503303
SHA1

32281f6b401a4dc3a9bde0e8cfe9a95e14aa11cf
SHA256

7089a8179efa6c83ec6cac9f54648e85fb903e56a966c3a5874c5a95a81c3638
SHA512

3b4fe9243362d2b70d61f3bb51ccf3497ec987c824a1082459d152a21823f87cc8764e9894f06df4445d017bea13a279dd44fc1fcba07d6dd1947c52cf3d8763
SSDEEP

1572864:PaCryU++hoAU2Ht0sbzxzOYwbb9AYFRgWZH59MoKtZoc:iCrl+oqpnbb9AoRB159MzP

Score

10^/10

wannacry bootkit defense_evasion discovery evasion execution exploit impact persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\password grabber recommended\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  dashboard for all stealers (recomended for start)/paid dashboard.exe
- Size
  
  2.5MB
- MD5
  
  660e26001a8891e78135a09d3ec2623f
- SHA1
  
  bd95c1955be08eaecefa7b3dd1cbdac7387b6d06
- SHA256
  
  1811c7b5ddcc6637a782bf32db70b60bd0bf3ec2b3498716591f718cda25fd14
- SHA512
  
  590df723aaa52806f664adec89bf6e8e570a9c88b4858131fb59f23e31ab3302189393bceb58fe1aa71475065aefab2d093d5f8ad6296693d4124e5a10a34e92
- SSDEEP
  
  49152:cCEz1VWQraflEcY8GSFJ2CBUm5htDRvG0JuH0Xv6GVO8UKlo:cn14QilESfFim15rtxUuo
Score

10^/10

discovery evasion persistence ransomware trojan upx
- UAC bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1
- Target
  
  open for more info/more info.exe
- Size
  
  666KB
- MD5
  
  989ae3d195203b323aa2b3adf04e9833
- SHA1
  
  31a45521bc672abcf64e50284ca5d4e6b3687dc8
- SHA256
  
  d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f
- SHA512
  
  e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305
- SSDEEP
  
  12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t
Score

10^/10

discovery evasion persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral2
- Target
  
  password grabber recommended/password stealer.EXE
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral3
- Target
  
  stealer tool (most recomended)/stealer tool dashboard.exe
- Size
  
  51.7MB
- MD5
  
  e1dfc4f445c9d5eb075009970c116128
- SHA1
  
  46b9604d6c5cd96204bf51a754520003455f1aa3
- SHA256
  
  83ddf34331d00285918cff184a6a8ff26fc8d6682018bdee6cf54cb7824fe8d8
- SHA512
  
  fec0cde77d6accba6976b3864302ba801f450df440bbc8b38386bc3fbf2cf3b12773d04c32480f67ede4396bafe3a34b0500d776d9d7d489c466eac80b2180de
- SSDEEP
  
  1572864:AKsj6R2Q/mBlOYlGLTHY9G4FEujFMm+B997DaNHN1oS72fnD9hRzZ01tO0DpvrvI:C6WcLjY9G4FEujFMm+B997DaNHN1oS76
Score

3^/10

discovery
behavioral4
- Target
  
  stealer tool + secret options/ADM Adrenaline Ultimate Edition.exe
- Size
  
  15.0MB
- MD5
  
  8f5a2b3154aba26acf5440fd3034326c
- SHA1
  
  b4d508ee783dc1f1a2cf9147cc1e5729470e773b
- SHA256
  
  fc7e799742a1c64361a8a9c3fecdf44f9db85f0bf57f4fb5712519d12ba4c5ac
- SHA512
  
  01c052c71a2f97daf76c91765e3ee6ec46ca7cb67b162c2fc668ef5ee35399622496c95568dedffbaf72524f70f6afcfe90f567fbb653a93d800664b046cd5f2
- SSDEEP
  
  393216:l2iLiU7VXd6AKprP7iJx4J20cQ3qpalJZfhxGWqIcckC:l2iNObp4x820AS7nj
Score

10^/10

bootkit discovery evasion exploit persistence ransomware trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables Task Manager via registry modification
  evasion
- Possible privilege escalation attempt
  exploit
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Modifies file permissions
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Pre-OS Boot

Bootkit

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

File and Directory Permissions Modification

Windows File and Directory Permissions Modification

Hide Artifacts

Hidden Files and Directories

Impair Defenses

Disable or Modify Tools

Indicator Removal

File Deletion

Modify Registry

Pre-OS Boot

Bootkit

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Defacement

Inhibit System Recovery

Tasks

static1

behavioral1

discoveryevasionpersistenceransomwaretrojanupx

behavioral2

discoveryevasionpersistenceransomwaretrojan

behavioral3

wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

behavioral4

behavioral5

bootkitdiscoveryevasionexploitpersistenceransomwaretrojan