wannacry

General

Target

osu!install.exe
Size

4.3MB
Sample

241004-n8rh4ssgnm
MD5

7a3a8644ed7d24c5aeadc265d2fa6fca
SHA1

5649dedf5ddbe67454019730ea9b36948095665b
SHA256

87ec7c7901234a7d6b65d37789f089f1f124c524ed7a7861188684354d0a32c6
SHA512

6aa3d14b0e21775434d78290a6e337d3ab4fe830740c5bd60acb1d84c1386685bbf0883d9bf6db53b1cc8015a642b3903fba0fd775e422a12603478c82eb5470
SSDEEP

98304:PNmKfYgREMJFBDSEtkARdVbNZYXNfRKHkxRxpDOhi:PNmKfYgREMJFBDSEtLbbNGX2oii

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master\RANSOMWARE-WANNACRY-2.0-master\Ransomware.WannaCry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  osu!install.exe
- Size
  
  4.3MB
- MD5
  
  7a3a8644ed7d24c5aeadc265d2fa6fca
- SHA1
  
  5649dedf5ddbe67454019730ea9b36948095665b
- SHA256
  
  87ec7c7901234a7d6b65d37789f089f1f124c524ed7a7861188684354d0a32c6
- SHA512
  
  6aa3d14b0e21775434d78290a6e337d3ab4fe830740c5bd60acb1d84c1386685bbf0883d9bf6db53b1cc8015a642b3903fba0fd775e422a12603478c82eb5470
- SSDEEP
  
  98304:PNmKfYgREMJFBDSEtkARdVbNZYXNfRKHkxRxpDOhi:PNmKfYgREMJFBDSEtLbbNGX2oii
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1