mimikatz

General

Target

heisenberg.exe
Size

37.3MB
Sample

240825-mnb29a1gmj
MD5

02cb6d1971fb53861285f273d799ced3
SHA1

16946db5c16d768c0d76fab6761c65358863fc59
SHA256

996de893ce9219a90fa76beab00295734913b55a6b85dd9c227175cf4cc93e3e
SHA512

aed27298d6186bf556da9f0856df0e053e7df67f22e25989d57b741ef1edc6d26e12f44b2b6be13d2c6c1001e5df1266b307f136a1077cc79f733661cdc77c78
SSDEEP

786432:NisAB+Mi4XOBuW8TSHh6MbpTfK9Ua895WhqvEOTVxBwBirBVeUnKyI:NihL+8+B60WhqvE6fwBO+Uu

Score

10^/10

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

xihYVi6fTjrH6gfk

Attributes

Install_directory
%AppData%
install_file
Telegram.exe
pastebin_url
https://pastebin.com/raw/FdSMTxzR

aes.plain

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  heisenberg.exe
- Size
  
  37.3MB
- MD5
  
  02cb6d1971fb53861285f273d799ced3
- SHA1
  
  16946db5c16d768c0d76fab6761c65358863fc59
- SHA256
  
  996de893ce9219a90fa76beab00295734913b55a6b85dd9c227175cf4cc93e3e
- SHA512
  
  aed27298d6186bf556da9f0856df0e053e7df67f22e25989d57b741ef1edc6d26e12f44b2b6be13d2c6c1001e5df1266b307f136a1077cc79f733661cdc77c78
- SSDEEP
  
  786432:NisAB+Mi4XOBuW8TSHh6MbpTfK9Ua895WhqvEOTVxBwBirBVeUnKyI:NihL+8+B60WhqvE6fwBO+Uu
Score

10^/10

wannacry xworm bootkit defense_evasion discovery persistence ransomware rat trojan upx worm mimikatz
- Detect Xworm Payload
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- mimikatz is an open source tool to dump credentials on Windows
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2