wannacry

Sharing

Copy URL

Twitter E-mail

General

Target

LCrypt0rX ft other malwares.zip
Size

15.8MB
Sample

241101-hyq7pswqbz
MD5

6bc26f8875381b29892789853672bf21
SHA1

0c8cc75bf3ac346beffed45d6031e2c9f604afc3
SHA256

d89f8d317cf5f8600cc5abe52846f38bf191ecbfb841817696d89d59dbca03c1
SHA512

310a2e51019914549f3d6c79fac88a62030b23090980cd99c38d1dba1c2a435fc995e86294b5e3cade13e7bc712aa128045b056be2316f57e1de9678d0e407ac
SSDEEP

393216:2l1kW5DYllg7yVL4SBJvknuHEoZBvisQIdujd0NIyRw:wkW5Ung+dJMVoZBqZIduCNrm

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Language

hta

Source

URLs

hta.dropper

http://93.115.82.248/?0=1&1=1&2=9&3=i&4=7601&5=1&6=1111&7=nnatstcnwb

Targets

- Target
  
  Ransom.Win32.LCrypt0rX.A/LCrypt0rX with shutdown.vbs
- Size
  
  22KB
- MD5
  
  daff797005d106285f0c108163c12112
- SHA1
  
  eab3a12828fb714fb0bec51370f9e96fbc6acca9
- SHA256
  
  0238c46480d90db10c2be7f3742bf45eb5cf5f6b1e5865c9adc066b6bd9a550e
- SHA512
  
  2a0c2ac6e8f81a7d1b3aa7f5652d60de35567d68a85fdc7b66ed0b978c3674c61ed1bb08f5081e2fa6e20659bf2610f348fc00ef45030018814dbd0e0bdc06cd
- SSDEEP
  
  384:tpGbplStxYHQHSH7l+ivHVn2jvVQayXwA+sxQ+E6f:shR26Y+Ee
Score

10^/10

defense_evasion evasion execution impact persistence ransomware trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Blocklisted process makes network request
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
behavioral1
- Target
  
  Ransom.Win32.LCrypt0rX.A/LCrypt0rX.vbs
- Size
  
  21KB
- MD5
  
  39be1e0cf0a4887481f3214a5b7106c3
- SHA1
  
  2a7dd94edff0e98df02c4d3855c18888d6e12ee8
- SHA256
  
  c35ad4c7258f0246390c69160d7f3cf3c2f3d6bfe644370e7c1854be43ce620f
- SHA512
  
  317ced51dc5f552dba26aa1c26fe1e74e415966172cbbd1cc9fc20d368382a97535c72a146c09cf6bc0a0d89a7c9c593bb2ffb3fc427889eae4965a6a5f42c21
- SSDEEP
  
  384:tpGbplStxYHQHSH7l+ivHVn2jvVQayWwA+sxQ+E6O:shR23Y+EF
Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Blocklisted process makes network request
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
behavioral2
- Target
  
  Ransom.Win32.LCrypt0rX.A/sig.vbs
- Size
  
  20KB
- MD5
  
  478dcc65198e9bf4df7f854fee65943e
- SHA1
  
  06b8fb9cac4ddbeee06f3b726dc067390a179153
- SHA256
  
  58dd4def583d07fcf1ab0c222b381e12e29d79f98ad42ae4c7f2be68f465e33e
- SHA512
  
  a8384657932ebe6e976b328280d9155b666b13f0f379db6eb13eb1aac49a59550087efbf30ff626964674cae290cd53e4a28a82924a27aacd72bf5591d169ceb
- SSDEEP
  
  192:tLOsz49SnH7l+ia3BBVNR3GdSXQ/xC4ZioXAHxQjAx6QayUW9wZi+YwED/fm8QSc:tTkSH7l+iaHVn2jvbQayXwA+sxQ+E6O
Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Blocklisted process makes network request
- Blocks application from running via registry modification
  Adds application to list of disallowed applications.
  evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables RegEdit via registry modification
  evasion
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
behavioral3
- Target
  
  other malware cuz why not/000.exe
- Size
  
  6.7MB
- MD5
  
  f2b7074e1543720a9a98fda660e02688
- SHA1
  
  1029492c1a12789d8af78d54adcb921e24b9e5ca
- SHA256
  
  4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
- SHA512
  
  73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
- SSDEEP
  
  3072:eaLA1++iCeFj0im6X/AXpT8vVMCcHVcdhghUuz1o9Y:fLJlC6j0CX4XmvWHVcd62uO9
Score

8^/10

discovery evasion persistence ransomware
- Disables Task Manager via registry modification
  evasion
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral4
- Target
  
  other malware cuz why not/[email protected]
- Size
  
  2.0MB
- MD5
  
  c7e9746b1b039b8bd1106bca3038c38f
- SHA1
  
  cb93ac887876bafe39c5f9aa64970d5e747fb191
- SHA256
  
  b1369bd254d96f7966047ad4be06103830136629590182d49e5cb8680529ebd4
- SHA512
  
  cf5d688f1aec8ec65c1cb91d367da9a96911640c695d5c2d023836ef11e374ff158c152b4b6207e8fcdb5ccf0eed79741e080f1cbc915fe0af3dacd624525724
- SSDEEP
  
  49152:FH/1Fdq0wneDrEoYxWFjmYMcKabLVp3diY7kp:FH/1Fdq0nIo2YAcl/NisA
Score

7^/10

discovery persistence spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
behavioral5
- Target
  
  other malware cuz why not/[email protected]
- Size
  
  9.7MB
- MD5
  
  1f13396fa59d38ebe76ccc587ccb11bb
- SHA1
  
  867adb3076c0d335b9bfa64594ef37a7e2c951ff
- SHA256
  
  83ecb875f87150a88f4c3d496eb3cb5388cd8bafdff4879884ececdbd1896e1d
- SHA512
  
  82ca2c781bdaa6980f365d1eedb0af5ac5a80842f6edc28a23a5b9ea7b6feec5cd37d54bd08d9281c9ca534ed0047e1e234873b06c7d2b6fe23a7b88a4394fdc
- SSDEEP
  
  196608:CtbTP1ErBwMQjd1YTHdmpCP2PVgP/acIE/xQ0zyZejVk+YzbRdTZ:C1E1+dYx6OP9hdyZwV4zd
Score

7^/10

discovery persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral6
- Target
  
  other malware cuz why not/[email protected]
- Size
  
  3.4MB
- MD5
  
  84c82835a5d21bbcf75a61706d8ab549
- SHA1
  
  5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- SHA256
  
  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
- SHA512
  
  90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
- SSDEEP
  
  98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Sets desktop wallpaper using registry
  ransomware
behavioral7
- Target
  
  other malware cuz why not/NoEscape.exe
- Size
  
  666KB
- MD5
  
  989ae3d195203b323aa2b3adf04e9833
- SHA1
  
  31a45521bc672abcf64e50284ca5d4e6b3687dc8
- SHA256
  
  d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f
- SHA512
  
  e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305
- SSDEEP
  
  12288:85J5X487qJUtcWfkVJ6g5s/cD01oKHQyis2AePsr8nP712TB:s487pcZEgwcDpg1L2tbPR2t
Score

3^/10

discovery
behavioral8
- Target
  
  other malware cuz why not/WindowsAcceleratorPro.exe
- Size
  
  1023KB
- MD5
  
  981931159e45242cc1c3dcbdb47846d7
- SHA1
  
  875bd5c00a30df19216e7f08bc18d97490ed25a6
- SHA256
  
  69461917822ca791194992d7b7d01e12afbf0eb86ae327b3fb86df01012e060e
- SHA512
  
  ffad32e77bcd989a20e1226021280204ded3e4ba7987e02978859be966e454785a0c0e196397378ad47d57f251764aeade3836127fe94ef67800342591fc63ce
- SSDEEP
  
  24576:A+nV9M1Yek6EYqNc4p9cAnlwDUctAaxu190ryaJqc5D9X32pVa:A+nsr1E66eAnEUc6CuEryaJqc5RWpVa
Score

10^/10

defense_evasion discovery evasion persistence trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Blocklisted process makes network request
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral9
- Target
  
  other malware cuz why not/loveletterworm fixed.vbs
- Size
  
  4KB
- MD5
  
  5c5cfc1e6e91a733e225cf6f39d74623
- SHA1
  
  f0d2fc4eff812edb4e40db5c155b95aa9575e472
- SHA256
  
  3fb3b4aa431e328c471b7fc814e662ffed93132209fffce2b996eb9ada66e727
- SHA512
  
  ad42b84774fafd7363218e874b35aae6d3355efb442b036e6d7d0fed18ab665c5de5ef3bc84b8f13fee79f17ebd57b299dd2ac14401a33d897d5bffe46f8a3af
- SSDEEP
  
  96:ekmO+aYCe4pz7A9dYaG+GrQU18YDMjryGvGdeVYPGFwrCZ76QJakfExKdy:1gCnpz7A9bvzEDgnVegYVqepkGOy
Score

9^/10

persistence ransomware spyware stealer
- Renames multiple (335) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops file in System32 directory
behavioral10