General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
-
Sample
250414-gt2xza11e1
Malware Config
Extracted
http://blockchainjoblist.com/wp-admin/014080/
https://womenempowermentpakistan.com/wp-admin/paba5q52/
https://atnimanvilla.com/wp-content/073735/
https://yeuquynhnhai.com/upload/41830/
https://deepikarai.com/js/4bzs6/
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Targets
-
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Indicator Removal
1File Deletion
1Modify Registry
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1