WannaRun V6.0勒索病毒

显示全部楼层 · 发表于 2023-1-7 12:34:13

本帖最后由 python无名氏于 2023-1-7 14:47 编辑

WannaRun出到6.0了

我放微步里了(附件太大了)
https://s.threatbook.com/report/ ... a128a7c13c45d0df1d4
这次增加了非固定密钥，密钥可以根据ID推算。
有没有哪位大佬能推算出来ID转密钥的公式
(公式很简单，人脑就能解出来)
需要的话ID给我，我把密钥算出来给你

显示全部楼层 · 发表于 2023-1-7 12:39:11

本帖最后由 anxiety520 于 2023-1-7 12:45 编辑

Kaspersky Scan missed Opentip检出:

Dynamic analysis detects
Status Name
Malware
Trojan.Win32.Agent.sb
Malware
Trojan-Ransom.Win32.Encoder.sb
Malware
Trojan-Ransom.Win32.Agent.sb

复制代码

Suspicious activities
Status Severity Description
High
800 The process $Image_path has deleted shadow copies of user files (MITRE: T1490 Inhibit System Recovery). This action is typical for the malware of the Trojan-Ransom family.
High
800 The process $Image_path has deleted shadow copies of user files (MITRE: T1490 Inhibit System Recovery). This action is typical for the malware of the Trojan-Ransom family.
High
660 The process $Image_path has modified user files $Files_list. This action is typical for Trojan-Ransom malware (MITRE: T1486 Data Encrypted for Impact).
High
660 The process $Image_path has modified user files $Files_list. This action is typical for Trojan-Ransom malware (MITRE: T1486 Data Encrypted for Impact).
Medium
500 The process $Image_path has been executed to encode/decode a file to evade defensive measures: $Cmd_line (Mitre T1140 Deobfuscate/Decode Files or Information).
Medium
500 The process $Image_path has been executed to encode/decode a file to evade defensive measures: $Cmd_line (Mitre T1140 Deobfuscate/Decode Files or Information).
Medium
500 The process $Image_path has been executed to encode/decode a file to evade defensive measures: $Cmd_line (Mitre T1140 Deobfuscate/Decode Files or Information).
Medium
500 The process $Image_path has set a new wallpaper for the Windows desktop: $Registry_key\$Registry_value_name: $Registry_value (MITRE: T1491.001 Defacement: Internal Defacement).
Low
290 The process $starter_image_path has run the file $dropped_file, which was created by the process $dropper_image_path. The file was started as follows: $command (MITRE: T1204.002 User Execution: Malicious File).

复制代码

显示全部楼层 · 发表于 2023-1-7 12:41:03

本帖最后由 dght432 于 2023-1-7 12:43 编辑

360类型:木马-Win32/Trojan.Generic.HgIAS6QA
描述:木马是一种伪装成正常文件的恶意软件，会盗取您的帐号、密码等隐私资料。
扫描引擎:云安全引擎
文件路径:C:\Users\Downloads\4aee9fc4ed68a8849488525c971961b17592a15af793e92214ee23ea9e47313f\4aee9fc4ed68a8849488525c971961b17592a15af793e92214ee23ea9e47313f
文件大小:4.32M (4,530,176 字节)
文件版本:1.14.51.4
文件描述:@WannaRun@
文件指纹（MD5）:c3af51b907ab20247ede19bf13e19c73
处理建议:隔离文件

显示全部楼层 · 发表于 2023-1-7 12:42:30

https://we.tl/t-HhcFXBa15K
密码：threatbook

显示全部楼层 · 发表于 2023-1-7 12:43:34

火绒解压杀

显示全部楼层 · 发表于 2023-1-7 12:44:45

MD：TrojanDownloader:Win32/Emotet!ml
云保护等级：零容忍

显示全部楼层 · 发表于 2023-1-7 12:58:12

事件: 检测到恶意对象
应用程序: 4aee9fc4ed68a8849488525c971961b17592a15af793e92214ee23ea9e47313f.exe
用户: DESKTOP-8E67PM1\fengy
用户类型: 发起者
组件: 系统监控
结果说明: 检测到
类型: 木马
名称: PDM:Trojan.Win32.Generic
威胁级别: 高
对象类型: 进程
对象路径: C:\Users\fengy\Desktop
对象名称: 4aee9fc4ed68a8849488525c971961b17592a15af793e92214ee23ea9e47313f.exe.WannaRun
原因: 行为分析
数据库发布日期: 今天，2023/1/7 11:10:00
MD5: C3AF51B907AB20247EDE19BF13E19C73

显示全部楼层 · 发表于 2023-1-7 13:27:31

显示全部楼层 · 发表于 2023-1-7 13:38:15

avast 被沙盒吃死了衍生物全在沙盒文件夹程序就换了个黑屏壁纸就跑出来个解密窗口然后等几分钟分析完直接查杀了

显示全部楼层 · 发表于 2023-1-7 13:40:45

本帖最后由 python无名氏于 2023-1-7 13:48 编辑

117054487 发表于 2023-1-7 13:38
avast 被沙盒吃死了衍生物全在沙盒文件夹程序就换了个黑屏壁纸就跑出来个解密窗口然后等几分钟分析完 ...

不应该呀...至少应该改个后缀啊

而且他不应该会把壁纸改成我那英俊潇洒的头像吗

[病毒样本] WannaRun V6.0勒索病毒

本帖子中包含更多资源

评分

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源

本帖子中包含更多资源