wannacry

General

Target

ccsetup632.exe
Size

83.2MB
Sample

250208-z3kn6awjck
MD5

42a23a1899e956fec4f210bb630da088
SHA1

17d1f38ac321815469cbb069bfa1590c9ac52b30
SHA256

dae4c01b29aa545db7067a8be8bd9855f76573ebed9ff7861de7cbcb5df4bee8
SHA512

a33a1e5744cb6b959d18fc7eab18f896b095740c5992306840599f62e9096b9bb7362f9e07d3975dfc3666f9c54171fbc937456b4038ef432fae7a452678b434
SSDEEP

1572864:EkKSMu396HcSftLgUtOYdmqzazt8OYLAifMY5fR+3GelN3qijMKa:EkiuN6xfm0vmzt9YMoQTR7Pa

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

- Target
  
  ccsetup632.exe
- Size
  
  83.2MB
- MD5
  
  42a23a1899e956fec4f210bb630da088
- SHA1
  
  17d1f38ac321815469cbb069bfa1590c9ac52b30
- SHA256
  
  dae4c01b29aa545db7067a8be8bd9855f76573ebed9ff7861de7cbcb5df4bee8
- SHA512
  
  a33a1e5744cb6b959d18fc7eab18f896b095740c5992306840599f62e9096b9bb7362f9e07d3975dfc3666f9c54171fbc937456b4038ef432fae7a452678b434
- SSDEEP
  
  1572864:EkKSMu396HcSftLgUtOYdmqzazt8OYLAifMY5fR+3GelN3qijMKa:EkiuN6xfm0vmzt9YMoQTR7Pa
Score

10^/10

wannacry bootkit defense_evasion discovery persistence phishing ransomware spyware stealer worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Drops startup file
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Downloads MZ/PE file
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1