Extracted

Extracted

• • Target

    COM SURROGATE.exe

  • Size

    75KB

  • MD5

    434f15cbdf67f504d1dbba4f87e59350

  • SHA1

    13ae6a57dd92ea0235a82197133060b09d9509bd

  • SHA256

    efa9b10e72da83e31499b2316fda23c106ec36d877f4d8bbd6c75bb8b3d9e67c

  • SHA512

    abbb1052ada2d04f9fddb4085fe2ffb96b0acdfdfcc17c80bf68f27a1b3a47f815256c2b9616946f403552a5262aaafe34914292fa9582f67b254e9262ef23dc

  • SSDEEP

    1536:O3un0Od36serzX4hckbHgjkVgjB6oY0xO0BJU64fUX8u:4unp6nrLKckbHgY0xO0BJUhcX8u

  Score

  10^/10

  wannacryxwormdefense_evasiondiscoveryexecutionimpactpersistenceransomwareratspywarestealertrojanworm

  • Detect Xworm Payload

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry

  • Wannacry family

    wannacry

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Xworm family

    xworm

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    defense_evasion

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1