Overview

overview

10

Static

static

3

wildfire-t...le.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wildfire-test-pe-file.exe

  • Size

    54KB

  • Sample

    241114-afas1asanq

  • MD5

    a01913203fc4c42d7e05bc8135ddcc24

  • SHA1

    f6a792542cbe386d559700d452f7aea9617325c8

  • SHA256

    9646a1e1b53f02e6b7d559ea0128e7c3f9c76378e02e3e8734064a9df7675cc8

  • SHA512

    50ff3c475cc7b120d0dc2761a2aae118d4d33efc0185001f3ecc2d3508778eef4d0bd2a9a057593bc5f6ba29462c219204b7be2a426f6944e3e394bae93c7635

  • SSDEEP

    768:9/EAAqxG0QqLccK+xL7scaOZ/IcGs8WbwnWh+6AXT2qEDnXbiPGEDUXnpT0rJmnU:CAc0QqgHW7/ZwcF8c6jELX+PupTNj

Score
10/10
cryptolockerwannacrydefense_evasiondiscoveryevasionexecutionimpactpersistencephishingprivilege_escalationransomwarespywarestealertrojanworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

    • Target

      wildfire-test-pe-file.exe

    • Size

      54KB

    • MD5

      a01913203fc4c42d7e05bc8135ddcc24

    • SHA1

      f6a792542cbe386d559700d452f7aea9617325c8

    • SHA256

      9646a1e1b53f02e6b7d559ea0128e7c3f9c76378e02e3e8734064a9df7675cc8

    • SHA512

      50ff3c475cc7b120d0dc2761a2aae118d4d33efc0185001f3ecc2d3508778eef4d0bd2a9a057593bc5f6ba29462c219204b7be2a426f6944e3e394bae93c7635

    • SSDEEP

      768:9/EAAqxG0QqLccK+xL7scaOZ/IcGs8WbwnWh+6AXT2qEDnXbiPGEDUXnpT0rJmnU:CAc0QqgHW7/ZwcF8c6jELX+PupTNj

    Score
    10/10
    cryptolockerwannacrydefense_evasiondiscoveryevasionexecutionimpactpersistencephishingprivilege_escalationransomwarespywarestealertrojanworm

    • CryptoLocker

      Ransomware family with multiple variants.

      ransomwarecryptolocker

    • Cryptolocker family

      cryptolocker

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (107) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • A potential corporate email address has been identified in the URL: [email protected]

      phishing

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

      defense_evasion

    • Loads dropped DLL

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

4
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

4
T1546

Change Default File Association

1
T1546.001

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Safe Mode Boot

1
T1562.009

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

9
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

3
T1490

Tasks