wannacry

General

Target

Voicemod Pro by mr.motchy.rar
Size

23.9MB
Sample

241115-yw1alavlfl
MD5

3b3964dd90392fba603193e65dfba598
SHA1

6b51d14593ba291d8b30a0a4269b1c7d509a02b6
SHA256

7bc72601a99488910e0e3ebfd167b0e6c6a66ac7aa0de499699b7621859e320f
SHA512

cecd245ee1eb788c3648b41296fc45a0e1cb1547a40a87ef9267dadf54c19cd8e1b44671dbb642b42625511143fc8db3ef3875adc81a0e307b1f58c1d487d171
SSDEEP

393216:/sIjAng3sG7QlVdhgXZJGW5+bIGdS9ZNNYbvzKX8sDjvjwUjdEPy8NDOhKujw+Yu:/FjegcG7Qlfa3H5+bbQhNYbvzKX8sDjf

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  Voicemod Pro by mr.motchy/VoicemodCrack/VoicemodDesktop.exe
- Size
  
  2.7MB
- MD5
  
  237551f6b806666f9c0c3f5669380195
- SHA1
  
  5a7aa3c8460e1be4e4cd3d244a59b285a8dcdda6
- SHA256
  
  2a4176466f2a9cb6edfb74f04ecc737672363876b7df6b06fe5132533eaf0d05
- SHA512
  
  87eaa33d93513f217d754acde0191ae0c7b73a9443602e8cbb44da09e66a33a19bcbb8a503fce7a08ed15174afe5f1dc708896fb415fca174a721b22bf969f69
- SSDEEP
  
  49152:/3bKUlADq0GArjFFLqIHaLafIXYXpdwbSC:eUToFFL5HHfWwpdweC
Score

1^/10
behavioral1 behavioral2
- Target
  
  Voicemod Pro by mr.motchy/VoicemodSetup.exe
- Size
  
  22.2MB
- MD5
  
  2c74a59f3a312c9003e3bdf2f458c87f
- SHA1
  
  97b1ede9c186ea36a74bceb1bf5e5689aad99086
- SHA256
  
  afd7452c34570e409fc0c2bc8a22fb7429a3cc8f48e85fe6a154656ec020330d
- SHA512
  
  b5e8810733694aa773c4c3b8a4063e5fddd962b64d2ad697223ddeb7337f09e8c21fc1efdb2c13c854f2e6884940fac217338e0839fd21d2b4db3c2da031a392
- SSDEEP
  
  393216:D2MvvQScyvXuaXVTwkBgoEMNBrDXLuzLYzCdcv8p5UPxaMQlBf4PrE:SMvVcysoEcLuzLig5p5UPxtyAP4
Score

10^/10

discovery wannacry defense_evasion execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Drops file in Drivers directory
- Drops startup file
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral3 behavioral4