Overview

overview

10

task1

 

10

task2

 

10

Resubmissions

30-10-2019 18:36

191030-35tdg7dqen 0

29-10-2019 13:22

191029-vhssnz4w3x 0

Analysis

  • max time kernel
    146s
  • max time network
    151s
  • resource
    win10v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wannacry.exe

  • Sample

    191030-35tdg7dqen

  • SHA256

    ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score
N/A

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Wannacry file encrypt 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Deletes shadow copies 2 TTPs 2 IoCs
    ransomware
  • Uses Volume Shadow Copy Service COM API 13 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Executes dropped EXE 14 IoCs
  • Drops startup file 6 IoCs
  • Drops file in system dir 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Drops Office document 29 IoCs
    dropperexploitermaldoc
  • Loads dropped DLL 1 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • wannacry family
    familywannacry

Processes

  • C:\Users\Admin\AppData\Local\Temp\wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\wannacry.exe"
    1⤵
    • Wannacry file encrypt
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    • Drops startup file
    • Drops Office document
    PID:4932
  • C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    1⤵
    • Views/modifies file attributes
    PID:4952
  • C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    1⤵
    • Modifies file permissions
    PID:4960
  • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
    taskdl.exe
    1⤵
    • Executes dropped EXE
    PID:992
  • C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 129661572464202.bat
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4032
  • C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    1⤵
      PID:3652
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      1⤵
      • Executes dropped EXE
      PID:4744
    • C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] co
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:4244
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4212
    • C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] vs
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      PID:3172
    • C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      1⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Loads dropped DLL
      PID:4840
    • C:\Windows\system32\SppExtComObj.exe
      C:\Windows\system32\SppExtComObj.exe -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4584
    • C:\Windows\System32\SLUI.exe
      "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
      1⤵
        PID:5000
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4712
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin delete shadows /all /quiet
        1⤵
        • Deletes shadow copies
        • Uses Volume Shadow Copy Service COM API
        PID:4728
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Uses Volume Shadow Copy Service COM API
        • Suspicious use of AdjustPrivilegeToken
        PID:3708
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic shadowcopy delete
        1⤵
        • Deletes shadow copies
        • Suspicious use of AdjustPrivilegeToken
        PID:4344
      • C:\Users\Admin\AppData\Local\Temp\taskse.exe
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Executes dropped EXE
        PID:892
      • C:\Users\Admin\AppData\Local\Temp\@[email protected]
        @[email protected]
        1⤵
        • Sets desktop wallpaper using registry
        • Suspicious use of SetWindowsHookEx
        • Executes dropped EXE
        PID:1072
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1120
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        1⤵
        • Modifies registry key
        • Adds Run entry to start application
        PID:1396
      • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        taskdl.exe
        1⤵
        • Executes dropped EXE
        PID:1412
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Drops file in system dir
        PID:2236
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
        1⤵
          PID:2700
        • C:\Users\Admin\AppData\Local\Temp\taskse.exe
          taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          • Executes dropped EXE
          PID:2548
        • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
          taskdl.exe
          1⤵
          • Executes dropped EXE
          PID:4536
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
          1⤵
          • Checks system information in the registry (likely anti-VM)
          PID:5004
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k unistacksvcgroup
          1⤵
            PID:4904
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
            1⤵
            • Windows security modification
            PID:1604
          • C:\Users\Admin\AppData\Local\Temp\taskse.exe
            taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            • Executes dropped EXE
            PID:4968
          • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
            taskdl.exe
            1⤵
            • Executes dropped EXE
            PID:3524

          Network

          MITRE ATT&CK Enterprise v15

          MITRE ATT&CK Additional techniques

          • T1107
          • T1158
          • T1089
          • T1060

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/4840-311-0x00000000034F0000-0x00000000034F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-65-0x0000000003710000-0x0000000003711000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-66-0x0000000002F10000-0x0000000002F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-69-0x0000000002F10000-0x0000000002F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-87-0x0000000002F10000-0x0000000002F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-147-0x0000000002F10000-0x0000000002F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-148-0x0000000003710000-0x0000000003711000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-149-0x0000000002F10000-0x0000000002F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-64-0x0000000002F10000-0x0000000002F11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-312-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-313-0x00000000034F0000-0x00000000034F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4840-331-0x00000000034F0000-0x00000000034F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4932-36-0x0000000010000000-0x0000000010010000-memory.dmp

            Filesize

            64KB

            Download