wannacry

General

Target

Screenshot 2024-10-28 215233.png
Size

25KB
Sample

241030-snf9vsvlds
MD5

7b307a95029dd50f97b58ee08553217e
SHA1

236ba3bf7da821fb44920eaa321a5428cba2e139
SHA256

ce67d881f76f6a21f64c79a109422a0a9322f490fdc7eaaf72142ae2bbedaa71
SHA512

40155ca2657ab586b056083705a93614deda716456c16a51efad13eecd57f54e41d858289805ba34ddffe45ca2140925451cec990a7ae1ceb800d290193209d6
SSDEEP

768:lhKjmw5wQw7RfWNKybNJGooXbL/3u+c74kvrF:ljwEaNJz8bCfHrF

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  Screenshot 2024-10-28 215233.png
- Size
  
  25KB
- MD5
  
  7b307a95029dd50f97b58ee08553217e
- SHA1
  
  236ba3bf7da821fb44920eaa321a5428cba2e139
- SHA256
  
  ce67d881f76f6a21f64c79a109422a0a9322f490fdc7eaaf72142ae2bbedaa71
- SHA512
  
  40155ca2657ab586b056083705a93614deda716456c16a51efad13eecd57f54e41d858289805ba34ddffe45ca2140925451cec990a7ae1ceb800d290193209d6
- SSDEEP
  
  768:lhKjmw5wQw7RfWNKybNJGooXbL/3u+c74kvrF:ljwEaNJz8bCfHrF
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2