General
-
Target
https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry
-
Sample
250120-xqx3lstqey
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Targets
-
-
Target
https://github.com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.WannaCry
Score10/10-
InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
-
Infinitylock family
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
6Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1