General
-
Target
MedalSetup.MzAzNDk1ODA1LDEsbm9yZWY=.exe
-
Size
146.1MB
-
Sample
241202-xpcehstken
-
MD5
c987cbef9f06beb7fd0889b593209aa4
-
SHA1
bcfb919be91a3fb2374bb07ff5661fe11792edbf
-
SHA256
1d620c8b5e06dcef6423f6f3d1601539b2461ff9ababdf440c5fd23db2110be9
-
SHA512
136528652d92d56c66e5a9c2d6cc3a0646e3a3c09c68e831338d8aa9490b73cd46d2947e7c7763ce9ab9b342285a5d0cfc7c2a62cde835b6845390caf8a2280d
-
SSDEEP
3145728:0K7Rq3JCtTOWfVRrlnSXbZHae+jgvS3YgJRAAlrpc:5qyBfVRZwN6e+U6vRAy
Malware Config
Extracted
C:\Users\Admin\Downloads\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Targets
-
-
Target
MedalSetup.MzAzNDk1ODA1LDEsbm9yZWY=.exe
-
Size
146.1MB
-
MD5
c987cbef9f06beb7fd0889b593209aa4
-
SHA1
bcfb919be91a3fb2374bb07ff5661fe11792edbf
-
SHA256
1d620c8b5e06dcef6423f6f3d1601539b2461ff9ababdf440c5fd23db2110be9
-
SHA512
136528652d92d56c66e5a9c2d6cc3a0646e3a3c09c68e831338d8aa9490b73cd46d2947e7c7763ce9ab9b342285a5d0cfc7c2a62cde835b6845390caf8a2280d
-
SSDEEP
3145728:0K7Rq3JCtTOWfVRrlnSXbZHae+jgvS3YgJRAAlrpc:5qyBfVRZwN6e+U6vRAy
Score10/10-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to get system information.
-
A potential corporate email address has been identified in the URL: [email protected]
-
Drops startup file
-
Modifies file permissions
-
Adds Run key to start application
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Event Triggered Execution: Image File Execution Options Injection
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2
-
Mark of the Web detected: This indicates that the page was originally saved or cloned.
-
Network Share Discovery
Attempt to gather information on host network.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops file in System32 directory
-
Enumerates processes with tasklist
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
8Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
2Process Discovery
1Query Registry
8System Information Discovery
8System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1