Unknown

Name: Ransomware.wannahusky.exe.malz

Hashes

MD5: 0287b38f8240a025b30c0a231ea403fc
SHA1: 691ac1b4b7b494f7b56eff0b48ba3e31a14e0d7d 
SHA256: 3d35cebcf40705c23124fdc4656a7f400a316b8e96f1f9e0c187e82a9d17dca3

VirusTotal

On VirusTotal It is flagged it as trojan by 44 engines out of 72.

Strings

Floss highlights some interesting strings in binary

@cannot write to stream
@tree C:\
@Desktop\ps1.ps1
@powershell 
@Desktop\ps1.ps1
@$code = @'
using System.Runtime.InteropServices;
namespace Win32{
    
    public class Wallpaper{
      [DllImport("user32.dll", CharSet=CharSet.Auto)]
      static  extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
      public static void SetWallpaper(string thePath){
         SystemParametersInfo(20,0,thePath,3);
      }
    }
add-type $code
$currDir = Get-Location
$wallpaper = ".\WANNAHUSKY.PNG"
$fullpath = Join-Path -path $currDir -ChildPath $wallpaper
[Win32.Wallpaper]::SetWallpaper($fullpath)
@Desktop\WANNAHUSKY.png
IHDR
sRGB

@encode__npLRSgmGJDNX8bfurW5iRw@12
stdlib_base64.nim.c
@burnMem__4FZHyz34TGxTmMy6XY9cOSg@8
@m..@s..@s..@s..@s..@s.nimble@spkgs@snimcrypto-0.5.4@snimcrypto@sutils.nim.c
@digest__CXo4xdrVR0UXF9aOcb9aJFYg@8
@m..@s..@s..@s..@s..@s.nimble@spkgs@snimcrypto-0.5.4@snimcrypto@shash.nim.c
_nimAddInt.constprop.0
@sha256Transform__BJNBQtWr9bJwzqbyfKXd38Q@12
@finish__x70ALeeaQ1ry9a63hdOCQWA@4
@m..@s..@s..@s..@s..@s.nimble@spkgs@snimcrypto-0.5.4@snimcrypto@ssha2.nim.c
_ortho__tEkTGAwQ2Ju9b64CfcPFjKgrijndael
@bitsliceSbox__td6AIXVem9adJuhtvam1mYA@4
@subWord__eIyaZ4Ej9atGVh4yLO6rJVQ@4
@keySchedule__atoyT3nOrMuAmdOTI4mO5g@12
@encrypt__py6wg79aBw8iTzUm11Z7JOA@20
@m..@s..@s..@s..@s..@s.nimble@spkgs@snimcrypto-0.5.4@snimcrypto@srijndael.nim.c
@init__QeKCvRTxwnkv4EgDHKgXYA@20
_TM__40YfnbOcmramUFyaunCxCg_2
_TM__40YfnbOcmramUFyaunCxCg_3
@inc128__vRz5m42fv3XKwSYgATX55Q@8
@inc256__vRz5m42fv3XKwSYgATX55Q_2@8

Which highlights nim is in use and a file on Desktop with name WANNAHUSKY.PNG

Using PE-Stdio we can identify its 32 bit executable and hints at process injection

Comparing raw size and virtual size we can conclude that malware is not packed.

Intial Running

In initial detonation without internet, it ran cmd and tree command

It runs a powershell script from users desktop

and it updates the como image and drop a file.