wannacry

General

Target

RemakePuls3.rar
Size

7.2MB
Sample

241016-rymnysvblc
MD5

0e0df8ad4df9a5523f9ae7434f15f503
SHA1

fc701bbe97cd71e096c18c11e864e29b22c3c1fd
SHA256

61380b03c4ff0731124f64ff05977d9ff683c2f508b90b38345ed4e4683dbf22
SHA512

e043c2d6aa0f82cf4ecb3e38441bd95d66d186a82c078546ee278c282c5d34ebc147d3694143d172049b575740306cc9666ce765c015a085ec243e9074c87bb5
SSDEEP

98304:+Dtw/EehLBfBhGsR7sohnb9a2qNhcr4bD4v1566+/y6p0r7FkT0LjqVaoUp0sLQr:+iEevZhzsk9arjPD4v15ODeHWxaBK9WK

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  RemakePuls3.rar
- Size
  
  7.2MB
- MD5
  
  0e0df8ad4df9a5523f9ae7434f15f503
- SHA1
  
  fc701bbe97cd71e096c18c11e864e29b22c3c1fd
- SHA256
  
  61380b03c4ff0731124f64ff05977d9ff683c2f508b90b38345ed4e4683dbf22
- SHA512
  
  e043c2d6aa0f82cf4ecb3e38441bd95d66d186a82c078546ee278c282c5d34ebc147d3694143d172049b575740306cc9666ce765c015a085ec243e9074c87bb5
- SSDEEP
  
  98304:+Dtw/EehLBfBhGsR7sohnb9a2qNhcr4bD4v1566+/y6p0r7FkT0LjqVaoUp0sLQr:+iEevZhzsk9arjPD4v15ODeHWxaBK9WK
Score

10^/10

wannacry defense_evasion discovery evasion execution impact persistence ransomware themida trojan worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1