wannacry

General

Target

sample
Size

267KB
Sample

241218-t4ydrawmdr
MD5

79c71a1177718da362083128aeddd237
SHA1

1496d4219e4266d0c609c93595c47d55a3fe375d
SHA256

0d3640ab26280297ecd40c7807f0c420fe376e3d32b59052279eb13a8fc9a7c4
SHA512

801244cd6d4a407d8c886803f5668ce1aaefec59d9f8c13a6a95654db847154419c8debe688f79248f218015ae7941f32bb4a7fc8830f607c2207bdabf3078ec
SSDEEP

3072:Rm/iwlwEq6DxoZw1ImA2l/R/h4w0yYGO0wImgrAwtN+Tl/j6q:Rm/j7jDxoZ2ImvRn0xGiITK6q

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  sample
- Size
  
  267KB
- MD5
  
  79c71a1177718da362083128aeddd237
- SHA1
  
  1496d4219e4266d0c609c93595c47d55a3fe375d
- SHA256
  
  0d3640ab26280297ecd40c7807f0c420fe376e3d32b59052279eb13a8fc9a7c4
- SHA512
  
  801244cd6d4a407d8c886803f5668ce1aaefec59d9f8c13a6a95654db847154419c8debe688f79248f218015ae7941f32bb4a7fc8830f607c2207bdabf3078ec
- SSDEEP
  
  3072:Rm/iwlwEq6DxoZw1ImA2l/R/h4w0yYGO0wImgrAwtN+Tl/j6q:Rm/j7jDxoZ2ImvRn0xGiITK6q
Score

10^/10

wannacry aspackv2 google defense_evasion discovery execution impact persistence phishing ransomware spyware stealer upx worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (15294) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Downloads MZ/PE file
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Drops startup file
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Detected potential entity reuse from brand GOOGLE.
  phishing google
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1