Extracted

• • Target

    spoofer/Activation.exe

  • Size

    703KB

  • MD5

    8c1d40db6464fd098716a317486db961

  • SHA1

    4b4d82e0a91f11e1348488b9e9edd43697d9db67

  • SHA256

    7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5

  • SHA512

    16c868e227c4928dfcc116ba6e9d93c22418936cad625cd48645abb96229d31ee1329105097d2e7f36f6382e214dfd54e1eb92842bcc45edd978f64da6c4c6dd

  • SSDEEP

    6144:5UPAUV624Zk+nC+f8Z7DgMvVXYNlV8F/2/6utZeiXhOy8oMmkCOutH5BysohXWwm:5mV620nN8ZoAutZeiXhOBuOaBToo4ZY

  Score

  10^/10

  wannacrydefense_evasiondiscoveryexecutionexploitimpactpersistenceransomwareworm

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry

  • Wannacry family

    wannacry

  • Deletes shadow copies

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution

  • Possible privilege escalation attempt

    exploit

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Modifies file permissions

    discovery

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    defense_evasion

  • Legitimate hosting services abused for malware hosting/C2

  • Sets desktop wallpaper using registry

    ransomware
  behavioral1

• • Target

    spoofer/Serials_Checker.bat

  • Size

    771B

  • MD5

    f7f6aab3d1c377eb69e9b786cd22a50b

  • SHA1

    e6f9c2b61c6df03bd3818ede183b6aacdfafa1ba

  • SHA256

    f95d45eb40e7e4ce5f81c5cfca4232d81e9210a3b6743bbe196b4443cf5783d9

  • SHA512

    9322513e26aab226ca9a35e5bc3793a9f580712be284970d381917f0f953b95587707d37e4a09927db97149f5310b73be0dc46262be83b53205ef4ddf4778b8a

  Score

  1^/10
  behavioral2

• • Target

    spoofer/Spoofer.exe

  • Size

    9.5MB

  • MD5

    133d9d8901105e6b12d6c6b6bd24dd4a

  • SHA1

    a659f144a5bdc5ac15972da821a1a1fcb095c375

  • SHA256

    e2819114f1167b92939d08b19a4a0feb5997baf62a293b08735eecf863ce4f7c

  • SHA512

    0acae7ae4bfd69fab1d092494bbab8b70c8f407bb2992c8b049b05eccf284f473cb77602e984c9d8a1ab313ad66d44e497b9e1e3ee00744e37df820cd264bed3

  • SSDEEP

    196608:edHWUd/RF+SwgZyBP6v/m6bCJuzOTvbPVauYzIHHSqGJeorUe:edHPJYgZI5688OTvzAmnS9h

  Score

  5^/10

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral3