General
-
Target
flask_app.py
-
Size
10KB
-
Sample
250130-cnwfsavjhl
-
MD5
eb83bde40a0f7ab84768d636fec651f9
-
SHA1
24e85280883bf5d99f29c8083e42fd667fad4c31
-
SHA256
fb10b3e4de839d7a931400530d2223a491dda0e7724031936f8399cf1c4c1fae
-
SHA512
de510e9207152917502f8609b4b6a1ed21289d65d5906e70636de55bf7a22ba8d94eff2143033576450d0469a27fe8587f8ebe6500a70119581eec4b867a4189
-
SSDEEP
192:sFcdnqOu9I6ozhzDuxU0ta3FJEhpkIfQZv8rlgNkZjSRm4pIbuIosbfRRDJVM3uf:sFcdqTMJEtyv8Bg4YpHIpZFpZ
Malware Config
Extracted
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Targets
-
-
Target
flask_app.py
-
Size
10KB
-
MD5
eb83bde40a0f7ab84768d636fec651f9
-
SHA1
24e85280883bf5d99f29c8083e42fd667fad4c31
-
SHA256
fb10b3e4de839d7a931400530d2223a491dda0e7724031936f8399cf1c4c1fae
-
SHA512
de510e9207152917502f8609b4b6a1ed21289d65d5906e70636de55bf7a22ba8d94eff2143033576450d0469a27fe8587f8ebe6500a70119581eec4b867a4189
-
SSDEEP
192:sFcdnqOu9I6ozhzDuxU0ta3FJEhpkIfQZv8rlgNkZjSRm4pIbuIosbfRRDJVM3uf:sFcdqTMJEtyv8Bg4YpHIpZFpZ
Score10/10-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
Modifies WinLogon for persistence
-
Modifies Windows Defender DisableAntiSpyware settings
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
mimikatz is an open source tool to dump credentials on Windows
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
Drops startup file
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
6Subvert Trust Controls
1SIP and Trust Provider Hijacking
1