Resubmissions

23/03/2025, 19:10

250323-xvmsfa11gt 10

23/03/2025, 18:49

250323-xglyzsvn17 8

23/03/2025, 18:23

250323-w1gb6str12 8

23/03/2025, 18:13

250323-wtvk8azwcy 8

23/03/2025, 18:01

250323-wlzvzatlz3 10

23/03/2025, 17:38

250323-v722saywcy 10

23/03/2025, 17:35

250323-v53kjayve1 10

23/03/2025, 17:27

250323-v1pswasnw2 10

23/03/2025, 15:05

250323-sf8n5sylt7 8

23/03/2025, 14:52

250323-r8x8faxrx9 8

General

  • Target

    EICAR.txt

  • Size

    68B

  • Sample

    250323-xvmsfa11gt

  • MD5

    44d88612fea8a8f36de82e1278abb02f

  • SHA1

    3395856ce81f2b7382dee72602f798b642f14140

  • SHA256

    275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

  • SHA512

    cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Aufgaben(1)\Aufgabe 2\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

    • Target

      EICAR.txt

    • Size

      68B

    • MD5

      44d88612fea8a8f36de82e1278abb02f

    • SHA1

      3395856ce81f2b7382dee72602f798b642f14140

    • SHA256

      275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

    • SHA512

      cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

    • Modifies WinLogon for persistence

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Wannacry family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Downloads MZ/PE file

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • A potential corporate email address has been identified in the URL: [email protected]

    • Drops startup file

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v15

Tasks