Resubmissions

17-09-2024 17:18

240917-vvrehsvcqf 6

17-09-2024 17:13

240917-vrr7msvbrk 10

General

  • Target

    RobloxPlayerInstaller.exe

  • Size

    4.6MB

  • Sample

    240917-vrr7msvbrk

  • MD5

    f16ac9b02b4726b444b383d76db1ae18

  • SHA1

    7388c264874447d1ded6b6acaa35d26144d023a9

  • SHA256

    f59c4acec3cd952c3ab981d56e1e68f543ad8684a3b44c6b59b70fbabc2b5ff0

  • SHA512

    9bf0e99eae1406341358c787de4bfd412933af8ca064e0aa09f0bf6893b5d5d9899a82d360f423cc7fae6d647e7196778fddee031508caae99f4a9316e6edf39

  • SSDEEP

    98304:Q+v//h75UcT+6O6QCp4jgzg2ar8S9rpTwkTPKXbSz:Jnh75nTS6Qvg3utwSiE

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry (1).zip\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      RobloxPlayerInstaller.exe

    • Size

      4.6MB

    • MD5

      f16ac9b02b4726b444b383d76db1ae18

    • SHA1

      7388c264874447d1ded6b6acaa35d26144d023a9

    • SHA256

      f59c4acec3cd952c3ab981d56e1e68f543ad8684a3b44c6b59b70fbabc2b5ff0

    • SHA512

      9bf0e99eae1406341358c787de4bfd412933af8ca064e0aa09f0bf6893b5d5d9899a82d360f423cc7fae6d647e7196778fddee031508caae99f4a9316e6edf39

    • SSDEEP

      98304:Q+v//h75UcT+6O6QCp4jgzg2ar8S9rpTwkTPKXbSz:Jnh75nTS6Qvg3utwSiE

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Modifies file permissions

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Sets desktop wallpaper using registry

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks