wannacry

General

Target

PlayniteInstaller.exe
Size

248KB
Sample

250109-175qkasqev
MD5

216721738f08fbd3b233e07619950619
SHA1

08c9849bfc78aa4f8f358cbf2301598fdb48620f
SHA256

2b2ff0f08c60f44ce321573ce0f00a44e336538775735a8f5d6644a12b46124f
SHA512

24d6f3e6cd9b823169cdcce8977f03b38a7b9579ff8c65257570de9aeb440cf966fc2c571d9de363d10eead47a49c58bf4d55f9ae2860a0fea76cc84e77426cf
SSDEEP

3072:xNi5RzqbBZCKzSU/8+xFO0AtqtCi2yJir3YgECNWmkCK2yJir3YgECNWmTN8lQx1:7iDzqfoKtO0Atq6Z

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Targets

- Target
  
  PlayniteInstaller.exe
- Size
  
  248KB
- MD5
  
  216721738f08fbd3b233e07619950619
- SHA1
  
  08c9849bfc78aa4f8f358cbf2301598fdb48620f
- SHA256
  
  2b2ff0f08c60f44ce321573ce0f00a44e336538775735a8f5d6644a12b46124f
- SHA512
  
  24d6f3e6cd9b823169cdcce8977f03b38a7b9579ff8c65257570de9aeb440cf966fc2c571d9de363d10eead47a49c58bf4d55f9ae2860a0fea76cc84e77426cf
- SSDEEP
  
  3072:xNi5RzqbBZCKzSU/8+xFO0AtqtCi2yJir3YgECNWmkCK2yJir3YgECNWmTN8lQx1:7iDzqfoKtO0Atq6Z
Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Sets desktop wallpaper using registry
  ransomware
behavioral1