Overview

overview

10

Static

static

10

2025-04-06...ch.exe

windows10-2004-x64

10

Resubmissions

06/04/2025, 16:36

250406-t4b6hstsb1 10

06/04/2025, 14:13

250406-rjthyszxe1 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-04-06_56c9b50e8936c2516fb1e809d9989912_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch

  • Size

    4.2MB

  • Sample

    250406-t4b6hstsb1

  • MD5

    56c9b50e8936c2516fb1e809d9989912

  • SHA1

    0fcfa3e92f55200e884c718652ffee7f4ed013e8

  • SHA256

    f14034d2f0c5b5485ef0d868db57bc24b83793681fe7d28e5e89e6b1c3bb0abb

  • SHA512

    5ce6e2288497561d9bd01ce851588d94b25a0b6441973e7c3ab0cb73fae86567702ae091aaca8c32774aae10b23f66ce3730f26c8cb0a662e57f0759900bf31e

  • SSDEEP

    49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4A:ieF+iIAEl1JPz212IhzL+Bzz3dw/VC

Score
10/10
badrabbitdharmagofingwannacrycredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealertrojanworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

    • Target

      2025-04-06_56c9b50e8936c2516fb1e809d9989912_cobalt-strike_frostygoop_ghostlocker_luca-stealer_sliver_snatch

    • Size

      4.2MB

    • MD5

      56c9b50e8936c2516fb1e809d9989912

    • SHA1

      0fcfa3e92f55200e884c718652ffee7f4ed013e8

    • SHA256

      f14034d2f0c5b5485ef0d868db57bc24b83793681fe7d28e5e89e6b1c3bb0abb

    • SHA512

      5ce6e2288497561d9bd01ce851588d94b25a0b6441973e7c3ab0cb73fae86567702ae091aaca8c32774aae10b23f66ce3730f26c8cb0a662e57f0759900bf31e

    • SSDEEP

      49152:ieutLO9rb/TrvO90dL3BmAFd4A64nsfJJ2TIA5GNP1Jr4u/TgAPNdi9128qk1q4A:ieF+iIAEl1JPz212IhzL+Bzz3dw/VC

    Score
    10/10
    badrabbitdharmagofingwannacrycredential_accessdefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealertrojanworm

    • BadRabbit

      Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.

      ransomwarebadrabbit

    • Badrabbit family

      badrabbit

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

      ransomwaredharma

    • Dharma family

      dharma

    • Gofing

      Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

      ransomwaregofing

    • Gofing family

      gofing

    • Gofing is a ransomware written in Golang using Velocity Polymorphic Compression (VPC) obfuscation.

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      defense_evasiontrojan

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Renames multiple (133) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Disables Task Manager via registry modification

      defense_evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Manipulates Digital Signatures

      Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Credentials from Password Stores: Windows Credential Manager

      Suspicious access to Credentials History.

      credential_accessstealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Direct Volume Access

1
T1006

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks