wannacry

General

Target

PortaRAT.exe
Size

245KB
Sample

250413-1472hstm13
MD5

ba4075021c4e845372a110f5a2225cf2
SHA1

43fe5e18f3f283cff474549b0cb59991261b01ee
SHA256

3dff7daa21e2b7f2a6c8c3ced325c9cdbc66f8c454a669608ce14f2e643c56f1
SHA512

7987ffea17ce0e00a734eff468b8f4c348ae7fe29f82ad66ca77936d27225defea5753501e75f63dfe8ea961561d2525e912b36e359ff7884e08d40bdd6b7312
SSDEEP

3072:kRPlsVWAbFt5EO7GyMubk8kBP3jf6/FfwKDt:QcrbiWk886xwK

Score

10^/10

Malware Config

Extracted

Family

xworm

C2

xml-processor.gl.at.ply.gg:35117

Attributes

Install_directory
%AppData%
install_file
USB.exe

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

- Target
  
  PortaRAT.exe
- Size
  
  245KB
- MD5
  
  ba4075021c4e845372a110f5a2225cf2
- SHA1
  
  43fe5e18f3f283cff474549b0cb59991261b01ee
- SHA256
  
  3dff7daa21e2b7f2a6c8c3ced325c9cdbc66f8c454a669608ce14f2e643c56f1
- SHA512
  
  7987ffea17ce0e00a734eff468b8f4c348ae7fe29f82ad66ca77936d27225defea5753501e75f63dfe8ea961561d2525e912b36e359ff7884e08d40bdd6b7312
- SSDEEP
  
  3072:kRPlsVWAbFt5EO7GyMubk8kBP3jf6/FfwKDt:QcrbiWk886xwK
Score

10^/10

wannacry xworm defense_evasion discovery execution persistence ransomware rat spyware stealer trojan worm
- Detect Xworm Payload
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Wannacry family
  wannacry
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Drops startup file
- Executes dropped EXE
- Modifies file permissions
  discovery
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- File and Directory Permissions Modification: Windows File and Directory Permissions Modification
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Sets desktop wallpaper using registry
  ransomware
behavioral1