General
-
Target
Skärmbild 2025-05-04 205841.jpg
-
Size
167KB
-
Sample
250518-wf87fsan3x
-
MD5
0c45974e619cc493b81a6ac2b450230e
-
SHA1
d9231f836a8099b0eeeaa32105f30f11e3f74541
-
SHA256
c99d1ac3f8c3634bfb9e8cf34b656dc773cda48206e10b06d7491a870f7f4a4c
-
SHA512
5964a483ff3dc32641f689cd8b47d6b0f73c4cc6c1a78e6fd0952085d1685ad21ff2ce9cbc320768ec0f7881ebbbf7512dfcb12bbcb58fc47d39073b5a6e27c5
-
SSDEEP
3072:L67fQOhy4dKctrMHDDYypjHZU2kcFRdpCeO+/6ZmvbXmvjvkWfyFM05MgNFpjU:L67jy4dKcrMjfkY7hOimvwQAM4z5U
Static task
static1
Behavioral task
behavioral1
Sample
Skärmbild 2025-05-04 205841.jpg
Resource
win10v2004-20250502-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Targets
-
-
Target
Skärmbild 2025-05-04 205841.jpg
-
Size
167KB
-
MD5
0c45974e619cc493b81a6ac2b450230e
-
SHA1
d9231f836a8099b0eeeaa32105f30f11e3f74541
-
SHA256
c99d1ac3f8c3634bfb9e8cf34b656dc773cda48206e10b06d7491a870f7f4a4c
-
SHA512
5964a483ff3dc32641f689cd8b47d6b0f73c4cc6c1a78e6fd0952085d1685ad21ff2ce9cbc320768ec0f7881ebbbf7512dfcb12bbcb58fc47d39073b5a6e27c5
-
SSDEEP
3072:L67fQOhy4dKctrMHDDYypjHZU2kcFRdpCeO+/6ZmvbXmvjvkWfyFM05MgNFpjU:L67jy4dKcrMjfkY7hOimvwQAM4z5U
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Wannacry family
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (105) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies RDP port number used by Windows
-
Patched UPX-packed file
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies file permissions
-
System Binary Proxy Execution: Rundll32
Abuse Rundll32 to proxy execution of malicious code.
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Safe Mode Boot
1Indicator Removal
1File Deletion
1Modify Registry
7Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Rundll32
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1