Overview

overview

10

Static

static

3

realgangflexflex.exe

windows10-ltsc_2021-x64

1

realgangflexflex.exe

windows11-21h2-x64

Resubmissions

13/04/2025, 16:39

250413-t55t8azjv8 10

13/04/2025, 16:37

250413-t4ss9szxhw 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    realgangflexflex.exe

  • Size

    540KB

  • Sample

    250413-t55t8azjv8

  • MD5

    8e86f171ff6f39682b5a2bc566bfc1a9

  • SHA1

    925a6856382b1b1e139d3cdc860d5267366e30f9

  • SHA256

    fb5422ac425f13f6ea041a30d25dbc22b8475ccd8d54c9b149f865db37262d21

  • SHA512

    645481936f13195c07fa30938d93fae86b60b3fc646bb5769762fe29c99284886fd18d2e53073c46fe877b0384a8385799beb79001fd2b18e8e37c2880ce3116

  • SSDEEP

    12288:5UiEotalUB8gOfa7NA4Y9hjmQ1VXCudD3ZwmsKDXMJ:yloclwP7NzY9hjmaVXCu5sKDc

Score
10/10
wannacrybootkitdefense_evasiondiscoveryexecutionpersistenceransomwareworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Targets

    • Target

      realgangflexflex.exe

    • Size

      540KB

    • MD5

      8e86f171ff6f39682b5a2bc566bfc1a9

    • SHA1

      925a6856382b1b1e139d3cdc860d5267366e30f9

    • SHA256

      fb5422ac425f13f6ea041a30d25dbc22b8475ccd8d54c9b149f865db37262d21

    • SHA512

      645481936f13195c07fa30938d93fae86b60b3fc646bb5769762fe29c99284886fd18d2e53073c46fe877b0384a8385799beb79001fd2b18e8e37c2880ce3116

    • SSDEEP

      12288:5UiEotalUB8gOfa7NA4Y9hjmQ1VXCudD3ZwmsKDXMJ:yloclwP7NzY9hjmaVXCu5sKDc

    Score
    10/10
    wannacrybootkitdefense_evasiondiscoveryexecutionpersistenceransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

JavaScript

1
T1059.007

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

2
T1222

Windows File and Directory Permissions Modification

1
T1222.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks