General

  • Target

    Skärmbild 2025-05-04 205841.jpg

  • Size

    167KB

  • Sample

    250518-wf87fsan3x

  • MD5

    0c45974e619cc493b81a6ac2b450230e

  • SHA1

    d9231f836a8099b0eeeaa32105f30f11e3f74541

  • SHA256

    c99d1ac3f8c3634bfb9e8cf34b656dc773cda48206e10b06d7491a870f7f4a4c

  • SHA512

    5964a483ff3dc32641f689cd8b47d6b0f73c4cc6c1a78e6fd0952085d1685ad21ff2ce9cbc320768ec0f7881ebbbf7512dfcb12bbcb58fc47d39073b5a6e27c5

  • SSDEEP

    3072:L67fQOhy4dKctrMHDDYypjHZU2kcFRdpCeO+/6ZmvbXmvjvkWfyFM05MgNFpjU:L67jy4dKcrMjfkY7hOimvwQAM4z5U

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

    • Target

      Skärmbild 2025-05-04 205841.jpg

    • Size

      167KB

    • MD5

      0c45974e619cc493b81a6ac2b450230e

    • SHA1

      d9231f836a8099b0eeeaa32105f30f11e3f74541

    • SHA256

      c99d1ac3f8c3634bfb9e8cf34b656dc773cda48206e10b06d7491a870f7f4a4c

    • SHA512

      5964a483ff3dc32641f689cd8b47d6b0f73c4cc6c1a78e6fd0952085d1685ad21ff2ce9cbc320768ec0f7881ebbbf7512dfcb12bbcb58fc47d39073b5a6e27c5

    • SSDEEP

      3072:L67fQOhy4dKctrMHDDYypjHZU2kcFRdpCeO+/6ZmvbXmvjvkWfyFM05MgNFpjU:L67jy4dKcrMjfkY7hOimvwQAM4z5U

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Wannacry

      WannaCry is a ransomware cryptoworm.

    • Wannacry family

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Renames multiple (105) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies RDP port number used by Windows

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Sets service image path in registry

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Modifies file permissions

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • System Binary Proxy Execution: Rundll32

      Abuse Rundll32 to proxy execution of malicious code.

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • File and Directory Permissions Modification: Windows File and Directory Permissions Modification

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v16

Tasks