General

  • Target

    AutoDF-Fix_Crash_1.lua_1.txt

  • Size

    795B

  • Sample

    240922-mee3jsvbpd

  • MD5

    aa53bc9f880e6d54571d9fbcb62ffa87

  • SHA1

    b169f141ba8e5d2b425c3920fd42ec7dab1e0b43

  • SHA256

    5ee442fd5183b356e9ae58b55c484fef68472d9a2e542194c24c2b76e5f92b6b

  • SHA512

    c2f2e2f054a826e5786d6396e7ba46b7d75fbe096a73a519dab3efabd4f68ee01c1e9920eaa21dc138201b99f0140feac0d76467154252565a604c2f302bfecc

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

    • Target

      AutoDF-Fix_Crash_1.lua_1.txt

    • Size

      795B

    • MD5

      aa53bc9f880e6d54571d9fbcb62ffa87

    • SHA1

      b169f141ba8e5d2b425c3920fd42ec7dab1e0b43

    • SHA256

      5ee442fd5183b356e9ae58b55c484fef68472d9a2e542194c24c2b76e5f92b6b

    • SHA512

      c2f2e2f054a826e5786d6396e7ba46b7d75fbe096a73a519dab3efabd4f68ee01c1e9920eaa21dc138201b99f0140feac0d76467154252565a604c2f302bfecc

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

    • Adds Run key to start application

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks