Overview

overview

10

Static

static

1

SystemLogs (1).zip

windows11-21h2-x64

4

Browsers/C...RA.txt

windows11-21h2-x64

3

Browsers/P...ds.txt

windows11-21h2-x64

3

Epic/GameU...gs.ini

windows11-21h2-x64

3

Minecraft/...s.json

windows11-21h2-x64

3

Minecraft/...s.json

windows11-21h2-x64

3

Minecraft/...s.json

windows11-21h2-x64

3

Minecraft/...ts.nbt

windows11-21h2-x64

3

Steam/Dial...ig.vdf

windows11-21h2-x64

3

Steam/Dial...20.vdf

windows11-21h2-x64

3

Steam/Dial...80.vdf

windows11-21h2-x64

3

Steam/avat...08.png

windows11-21h2-x64

Steam/config.vdf

windows11-21h2-x64

3

Steam/copl...08.vdf

windows11-21h2-x64

10

Steam/libr...rs.vdf

windows11-21h2-x64

3

Steam/loginusers.vdf

windows11-21h2-x64

3

Steam/remo...ts.vdf

windows11-21h2-x64

3

Steam/stea...nifest

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SystemLogs (1).zip

  • Size

    201KB

  • Sample

    250201-2c73wasrhx

  • MD5

    6d11e22316445e943a8de41ee5b0f58c

  • SHA1

    07eccd20b9b685cec9c112028eabffdef6ed746f

  • SHA256

    27e88a998e03dec84b925232c7fad4095e2bb3cf6093b04fc01b2ac78af84508

  • SHA512

    e2226728c54d50a27f1d051be0c008b44f984888cb97511fd01575c71a7176d27a0f462684f0e436940230bbedfacec5036e29314bdc4eb4248f6cbea9853380

  • SSDEEP

    6144:gM99t+pO6c5/4Q8Z8CYQDtTjQPpAyTJTN:D9qxcmeuTUPpXL

Score
10/10
wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

    • Target

      SystemLogs (1).zip

    • Size

      201KB

    • MD5

      6d11e22316445e943a8de41ee5b0f58c

    • SHA1

      07eccd20b9b685cec9c112028eabffdef6ed746f

    • SHA256

      27e88a998e03dec84b925232c7fad4095e2bb3cf6093b04fc01b2ac78af84508

    • SHA512

      e2226728c54d50a27f1d051be0c008b44f984888cb97511fd01575c71a7176d27a0f462684f0e436940230bbedfacec5036e29314bdc4eb4248f6cbea9853380

    • SSDEEP

      6144:gM99t+pO6c5/4Q8Z8CYQDtTjQPpAyTJTN:D9qxcmeuTUPpXL

    Score
    4/10
    discovery
    behavioral1

    • Target

      Browsers/Cookies/OPERA.txt

    • Size

      3KB

    • MD5

      467062ab9058f3ac45beb7fe6b4e74d0

    • SHA1

      a75d0c5febd5bb49322868f3f0d7aef27d58ead5

    • SHA256

      1c8fd0d4a710b936ccda450b99de628977c8578ded79f75916e583ed6c3ade4a

    • SHA512

      9796f2731d6c92b3bf0f9e236cee59815344d00856fe05e789d29ad1483c8ca56e1d5e472b15344d8c311116f892066d1929670df20eeb332fce7adb424052ad

    Score
    3/10
    behavioral2

    • Target

      Browsers/Passwords.txt

    • Size

      4KB

    • MD5

      cbee70c7b5aadc4fe7802175df1fc803

    • SHA1

      b6f22141e95b8838646655294db3b2449d7c4a35

    • SHA256

      5035a12407d280228c6c2a8b915bec154d3718e6d6f51d5698993a9e5a62caac

    • SHA512

      ad731fb4d51b94a6a4535659a91d2921b6aeb30874bae30ba0a83c33b38fba54d150795fa939be13b6ec7140d4c7d5182c81ed4230982949cf771f9a2261bbe6

    • SSDEEP

      96:ekMz2HbUaS92y9DQR62SqOkSTctUYPF2FsFBl2:efzCbUaS92y9DQR67qOkSItUYPcFsFBU

    Score
    3/10
    behavioral3

    • Target

      Epic/GameUserSettings.ini

    • Size

      2KB

    • MD5

      632b31d2b28e7873f92396db15d17a83

    • SHA1

      1a5b9ad67a6fd999ca5d30bbb25c49be45775b73

    • SHA256

      22267db06f0a6bf6656b3cafe4297f130165f28aa7ff652cc69a671bfb3e3731

    • SHA512

      5ea9d5fcc77893dda7f3fc46036b8812012924e26a097f597cd2191792f5ab20cebaed121f9d54fac319b29f0dbeef92431937831788fdef02adfb0694ffb9bc

    Score
    3/10
    behavioral4

    • Target

      Minecraft/Essential/microsoft_accounts.json

    • Size

      213KB

    • MD5

      e84e19c642a019bc127106f9f320334f

    • SHA1

      ae37805461e9bb8f0ff7b125c965821f4fc369e3

    • SHA256

      1e8529afa5c0d60fcf5a1ad54f89344376de9d369f6d8b86b95c88a271a791cc

    • SHA512

      4fb694fa2aae25874fd06d0167fb48a9a4fb5f25bfc1c0df122218a932b43f8cca66dd9be6334fe44e23b1c93262aa000103ae9460e8840fdc8fb1d882e8f8fc

    • SSDEEP

      3072:cl/+w7suBm21/R7vYG8Z6xKbpB213J6kXFv1H5uoEpJY2yVfsMnk2Yw:2Oim219wG8Z6x6pc7RtZtEEP04

    Score
    3/10
    behavioral5

    • Target

      Minecraft/Feather/accounts.json

    • Size

      1KB

    • MD5

      52e82da502a3859bc4966c87032752f7

    • SHA1

      dde2ef238dfed029fb15922f49853281f8f4433b

    • SHA256

      7584350aae843ec2ba5692e681fdc44d9e020c6f8333b996dd6d70156637cd43

    • SHA512

      c5c4c95d1417a373b9541c9172e5561f37fc680798f46998155b1abab74dd313724ec3ecc277828fcda69547aadb9f95ff9c457b02e2cfd9693d5752a23969e7

    Score
    3/10
    behavioral6

    • Target

      Minecraft/Lunar/accounts.json

    • Size

      1KB

    • MD5

      37a515b0a8552e2bdfd976733c879ebe

    • SHA1

      45879be26ba46c5e6c4d0e135567e5872d4ef932

    • SHA256

      b465d1755d053d44f5a5c9070ece683da3f502ce6e1e16a16268dfbe4d4fce1c

    • SHA512

      5094c69def882eef6b0e4445f4b2a16999f658a7be10d0e28c95e45dc73c54679507e365f20df7a643d1549b5b43138d873a14012b2049b8ad57d84994cada20

    Score
    3/10
    behavioral7

    • Target

      Minecraft/Meteor/accounts.nbt

    • Size

      20B

    • MD5

      e09a6e217276ad3642331b1d5c09ccf7

    • SHA1

      8ab3a8a90d53b8c606380e92e312a3a123280617

    • SHA256

      e664b27ad07331973ff06d02da7a74f32b873152a6d295798f5181862204ec03

    • SHA512

      ddc1d5149993650e108a5a15572cc63be0d4991589dc0e80f1b820c52d56ccc3aff07a4d221277d1210fee1eb51020074485b41f0668042963025ac4586d7bee

    Score
    3/10
    behavioral8

    • Target

      Steam/DialogConfig.vdf

    • Size

      21B

    • MD5

      13735126ca283077fc14e8d4d96e7902

    • SHA1

      0f640961e18cd8e58f3dfcdc0bd6e31cb8e363e4

    • SHA256

      72a0724fa33de182bc12b7df81a7fbde0d631012e318d075fe47949885518ee6

    • SHA512

      2a62754c50dc531665121e60290879d6264099330be73187501175e08e822194d82c3cae105c241bef0dc2ff07a39b7d6a27810a5002d58ab2c09647e58514e0

    Score
    3/10
    behavioral9

    • Target

      Steam/DialogConfigOverlay_1080x1920.vdf

    • Size

      21B

    • MD5

      13735126ca283077fc14e8d4d96e7902

    • SHA1

      0f640961e18cd8e58f3dfcdc0bd6e31cb8e363e4

    • SHA256

      72a0724fa33de182bc12b7df81a7fbde0d631012e318d075fe47949885518ee6

    • SHA512

      2a62754c50dc531665121e60290879d6264099330be73187501175e08e822194d82c3cae105c241bef0dc2ff07a39b7d6a27810a5002d58ab2c09647e58514e0

    Score
    3/10
    behavioral10

    • Target

      Steam/DialogConfigOverlay_1920x1080.vdf

    • Size

      21B

    • MD5

      13735126ca283077fc14e8d4d96e7902

    • SHA1

      0f640961e18cd8e58f3dfcdc0bd6e31cb8e363e4

    • SHA256

      72a0724fa33de182bc12b7df81a7fbde0d631012e318d075fe47949885518ee6

    • SHA512

      2a62754c50dc531665121e60290879d6264099330be73187501175e08e822194d82c3cae105c241bef0dc2ff07a39b7d6a27810a5002d58ab2c09647e58514e0

    Score
    3/10
    behavioral11

    • Target

      Steam/avatarcache/76561199490338408.png

    • Size

      67KB

    • MD5

      38e3de3970a275075094de709d1491f0

    • SHA1

      1933179533622db9e3d9c60c73e0e2c4673886e6

    • SHA256

      c41448925a67b8825351c5553f62dc5447e0600cebd56d3e03ed18ce4c5cb35a

    • SHA512

      67ccfde75f4a217164975c8fc72baa0de6e969135bab95b0291c5c10d40f7c12db7efa84476af0efdd27d5180ccd2f48f17c13a77c3da2aebaf5d6234a997860

    • SSDEEP

      1536:IhDkrVVDKPnyii8B+QfirA7XYZcdrkP+CfQPT9UQs2:usVMi8kQfnX3dAPzYPT9UQs2

    Score
    1/10
    behavioral12

    • Target

      Steam/config.vdf

    • Size

      16KB

    • MD5

      26539c5af02f5bde8aac3d51a7f9c48f

    • SHA1

      8fcf844bdb8a6c36d41404dbecd284ff5a08eead

    • SHA256

      507e63235987177aedca8e722c558939a68ba7108bfb5dd634b399c212e494a2

    • SHA512

      f23915adc8e92aefd5cc9fbb242d427c9f20d24491f2145da19c4277dd03c3e959368ff089de52dcb82a5c4b06855ad071d6f73ebe251824abc5fb7b20e9ec7e

    • SSDEEP

      384:umOPMjqiJ34itHFyiv1/Q1P11fXjGi1Nz1ZL1pne1a:ugjqit4itBv1/Q1P11Ki1Nz1ZL1Fe1a

    Score
    3/10
    behavioral13

    • Target

      Steam/coplay_76561199490338408.vdf

    • Size

      5KB

    • MD5

      5f0d3fc1102b8a08819f7189fc2c50ec

    • SHA1

      4ce61d817bf8fdad2bae47c685485a53e2673a0c

    • SHA256

      dfb4eda25a630e9744c2690885b4e442822c3d4af2b8996a60a2e2e1ba0960f5

    • SHA512

      9693b2d6ebd849f1c855d4fb907ddbe88a6913c60d566d43f604661e4382290283a0e37767916432f04f00d30136b3a6861c384221d16c1012c5f1e6b1563db4

    • SSDEEP

      96:4/0tbFZilWVbWyhTJ5ptAQ4cAphg3nCIrtvt5Jv+oelTW01AGhse0Fm2zrwzPq6O:sJT/5M4vAUDG

    Score
    10/10
    wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Sets desktop wallpaper using registry

      ransomware
    behavioral14

    • Target

      Steam/libraryfolders.vdf

    • Size

      428B

    • MD5

      f4469986041ad8ae73cdb91cd51e415e

    • SHA1

      4aaf50c8eb543e4de0e3a3f9d3c0eb8c8f0d7e59

    • SHA256

      436b92466e954846e4420d8287ad594015539305b7ac714dae6b94ce0dd4b362

    • SHA512

      11136e1dac3871d478ff57012340876daed8ddd8ffdac0978d8bbcec27fef872270a7a2cecb78b9eeda2988b660d0af0fb6b1a062bb7017333ec1bea1394cb46

    Score
    3/10
    behavioral15

    • Target

      Steam/loginusers.vdf

    • Size

      256B

    • MD5

      b1bec80a68491a341bc917abc49462e5

    • SHA1

      b660ee50043b7e01cef817a06066ff41fc65d959

    • SHA256

      bc8a35c62a1608d4b1e7e3cf28fa30201d2b91cbebac4a6d9be8bc146fa023ac

    • SHA512

      51d3d435ae13f338cfff1bb2e1923697f8e4fd7ce008839393735ee87ef3b6bd83d373a1a6a898f883f3026b3513fd02a0765e98ec35dcbb71546f371859f167

    Score
    3/10
    behavioral16

    • Target

      Steam/remoteclients.vdf

    • Size

      998B

    • MD5

      c10f728a3bda13a0be7eaa39ed9a5dd9

    • SHA1

      8457ad1e319924805f00ab510d8739ec57f591d4

    • SHA256

      1a437f807f1e19c787b8db819ab03e30b2b206df0bfbe7eca583d20e394cb1a0

    • SHA512

      fa5516068b94e7ab0556f7f245174da5e70bdfa1ecc3132d06908c00f5bb0883c83a3f4f46bf16958314b978e8fdfc70e693b2f225c363cbebf7e8ba06d6339d

    Score
    3/10
    behavioral17

    • Target

      Steam/steamapps.vrmanifest

    • Size

      47B

    • MD5

      8dddbd4ebcf391576016a88f4d8e1520

    • SHA1

      875573003391b113fcf8e11fede71424618a44a1

    • SHA256

      86af15e416cd4bd82d8f2b9a7a945dc7c4aa5882c1afc4e26a7f9b9e5a9d02c4

    • SHA512

      99c6ba91e23e05d21c467f0314029c44db83bb1edadb6866096d03fba93782c2bee819696fc0f6a2523ece78d2324f7442800f55f439c8644ffac51a7f124852

    Score
    3/10
    behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Tasks