wannacry

General

Target

web.asm
Size

2KB
Sample

250205-srhbbssjgx
MD5

57d423ca4add6241bb21bbadb9d6177a
SHA1

b474f7422001e7f740d2de6dc9e750f77ea3bc76
SHA256

755768e16043b1ea870717a5e84dd6d522d6ab71a85d3b9935f82af1651c34f7
SHA512

165f76d5a045124453e4ef4807193c33e32078de17b13cc932a10dc19a42d6b60c06e7c5c257a7ff15dcfe5baa1998e8774bf0a862e751bf2239a16db0516a29

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

- Target
  
  web.asm
- Size
  
  2KB
- MD5
  
  57d423ca4add6241bb21bbadb9d6177a
- SHA1
  
  b474f7422001e7f740d2de6dc9e750f77ea3bc76
- SHA256
  
  755768e16043b1ea870717a5e84dd6d522d6ab71a85d3b9935f82af1651c34f7
- SHA512
  
  165f76d5a045124453e4ef4807193c33e32078de17b13cc932a10dc19a42d6b60c06e7c5c257a7ff15dcfe5baa1998e8774bf0a862e751bf2239a16db0516a29
Score

10^/10

wannacry bootkit defense_evasion discovery execution impact persistence ransomware spyware stealer upx worm
- Suspicious use of NtCreateProcessExOtherParentProcess
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Disables Task Manager via registry modification
  defense_evasion
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2