General

  • Target

    wanakiwi.zip

  • Size

    354KB

  • Sample

    240915-khhxhavckg

  • MD5

    e4f370b101104c15269a3b888ed98e08

  • SHA1

    ad5b797c7cc788a21403ca0cc959bb548580c84f

  • SHA256

    40da854572ad619f1e48ebc62e7ac42fc46b2f3fbdd0dd9069eb451b79f578f4

  • SHA512

    5fd22a7bc6ae20461aab75d0806309d0ed5f926219437a2a252dd96a4dcae616c0b7faa91a7f12d693c75ef9e36c26f0f876cf3fa82d85d419bfe08b1b8ab6ef

  • SSDEEP

    6144:khQbV921g4F8OnnPl66sLG2kFCUMPX3icAmBEtHxxxXww9yz8rgot:zYNmC0pPnAmB8tweyre

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      wanakiwi.zip

    • Size

      354KB

    • MD5

      e4f370b101104c15269a3b888ed98e08

    • SHA1

      ad5b797c7cc788a21403ca0cc959bb548580c84f

    • SHA256

      40da854572ad619f1e48ebc62e7ac42fc46b2f3fbdd0dd9069eb451b79f578f4

    • SHA512

      5fd22a7bc6ae20461aab75d0806309d0ed5f926219437a2a252dd96a4dcae616c0b7faa91a7f12d693c75ef9e36c26f0f876cf3fa82d85d419bfe08b1b8ab6ef

    • SSDEEP

      6144:khQbV921g4F8OnnPl66sLG2kFCUMPX3icAmBEtHxxxXww9yz8rgot:zYNmC0pPnAmB8tweyre

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

    • Target

      wanakiwi.exe

    • Size

      770KB

    • MD5

      7a1e8f601cbf8d88f77f0a5b69498763

    • SHA1

      4d5c0c0d507f0a2ed2a830eac84d45f98dc6a935

    • SHA256

      6a1f0ff9bf79c8a4d4209f441db87ed7f160b049ba130673e92ce9af142ffd6b

    • SHA512

      18d29ed47f7a84113cfd7444ba4ac365456601be990f072e10c55d5da15ea43113025163f6d4248336cf456fa802d6a8c6d0927b878831dde5af0d9d8344c502

    • SSDEEP

      12288:uVxSbrvynJLlZZgiCHCvLmUaNCU9KgJa0H07c4kJul:SxSbrvynBBve9CkAp

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks