wannacry | 72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Sample

191202-3peefk1fgj
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

10^/10

persistence ransomware worm wannacry

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Executes dropped EXE 16 IoCs

pid	Process
1996	taskdl.exe
2012	@[email protected]
1996	@[email protected]
108	taskhsvc.exe
1732	taskdl.exe
2044	taskse.exe
1512	@[email protected]
1732	taskdl.exe
1996	taskse.exe
1944	@[email protected]
1556	taskdl.exe
1896	taskse.exe
1832	@[email protected]
1868	taskdl.exe
1772	taskse.exe
1188	@[email protected]

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1512	@[email protected]

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Drops startup file 6 IoCs

description	ioc	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7970.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7970.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7970.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7993.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7993.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7993.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Loads dropped DLL 5 IoCs

pid	Process
1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1788	cscript.exe
1280	cmd.exe
2012	@[email protected]
108	taskhsvc.exe

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1608	WMIC.exe
1196	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1580	reg.exe

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

T1222

pid	Process
1424	icacls.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1996	@[email protected]
2012	@[email protected]
1512	@[email protected]
1944	@[email protected]
1832	@[email protected]
1188	@[email protected]

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
108	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeBackupPrivilege	2028	vssvc.exe
Token: SeRestorePrivilege	2028	vssvc.exe
Token: SeAuditPrivilege	2028	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1608	WMIC.exe
Token: SeSecurityPrivilege	1608	WMIC.exe
Token: SeTakeOwnershipPrivilege	1608	WMIC.exe
Token: SeLoadDriverPrivilege	1608	WMIC.exe
Token: SeSystemProfilePrivilege	1608	WMIC.exe
Token: SeSystemtimePrivilege	1608	WMIC.exe
Token: SeProfSingleProcessPrivilege	1608	WMIC.exe
Token: SeIncBasePriorityPrivilege	1608	WMIC.exe
Token: SeCreatePagefilePrivilege	1608	WMIC.exe
Token: SeBackupPrivilege	1608	WMIC.exe
Token: SeRestorePrivilege	1608	WMIC.exe
Token: SeShutdownPrivilege	1608	WMIC.exe
Token: SeDebugPrivilege	1608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1608	WMIC.exe
Token: SeRemoteShutdownPrivilege	1608	WMIC.exe
Token: SeUndockPrivilege	1608	WMIC.exe
Token: SeManageVolumePrivilege	1608	WMIC.exe
Token: 33	1608	WMIC.exe
Token: 34	1608	WMIC.exe
Token: 35	1608	WMIC.exe
Token: SeTcbPrivilege	2044	taskse.exe
Token: SeTcbPrivilege	1996	taskse.exe
Token: SeTcbPrivilege	1896	taskse.exe
Token: SeTcbPrivilege	1772	taskse.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ftqqepmlkbmm513 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1432	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1432	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	27
PID 1436 wrote to memory of 1424	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	29
PID 1436 wrote to memory of 1996	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	31
PID 1436 wrote to memory of 2040	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	32
PID 2040 wrote to memory of 1788	2040	cmd.exe	34
PID 1436 wrote to memory of 2012	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	36
PID 1436 wrote to memory of 1280	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	37
PID 1280 wrote to memory of 1996	1280	cmd.exe	39
PID 2012 wrote to memory of 108	2012	@[email protected]	41
PID 1996 wrote to memory of 2000	1996	@[email protected]	43
PID 2000 wrote to memory of 1196	2000	cmd.exe	45
PID 2000 wrote to memory of 1608	2000	cmd.exe	47
PID 1436 wrote to memory of 1732	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	48
PID 1436 wrote to memory of 2044	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	49
PID 1436 wrote to memory of 1512	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	50
PID 1436 wrote to memory of 1184	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	51
PID 1184 wrote to memory of 1580	1184	cmd.exe	53
PID 1436 wrote to memory of 1732	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	55
PID 1436 wrote to memory of 1996	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	56
PID 1436 wrote to memory of 1944	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	57
PID 1436 wrote to memory of 1556	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	59
PID 1436 wrote to memory of 1896	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	60
PID 1436 wrote to memory of 1832	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	61
PID 1436 wrote to memory of 1868	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	64
PID 1436 wrote to memory of 1772	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	65
PID 1436 wrote to memory of 1188	1436	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	66

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:1432
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1424
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 183521575281394.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - Loads dropped DLL
    PID:1788
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Deletes shadow copies
        
        PID:1196
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Deletes shadow copies
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Modifies registry key
    PID:1580
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1881317576550991269-7651052519046183392044447755-650160409-1423590481578062281"
1⤵
PID:1472

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1141586790-10050394631595189986-2122683527-5762705421957156715827188597-1981454421"
1⤵
PID:1124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1785090230-1004877055114385729975119691-1714043537184996893314838450231274954489"
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1629550071435306870-820791668166325570117834793862122818006-793800686720767705"
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16189733561604478451-1936734850-1867703752-213947554417922742631416712290-2003351711"
1⤵
PID:1668

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1878704253-213457357710200884011585325179-152054151814376418462017496704-982607807"
1⤵
PID:1736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9485156341671461128492649552-974119446-77558163369084134213874210781770290371"
1⤵
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/108-235-0x0000000002E00000-0x0000000002E11000-memory.dmp

Filesize
68KB

Download
memory/108-70-0x0000000002E00000-0x0000000002E11000-memory.dmp

Filesize
68KB

Download
memory/108-402-0x00000000034D0000-0x00000000034E1000-memory.dmp

Filesize
68KB

Download
memory/108-69-0x0000000003210000-0x0000000003221000-memory.dmp

Filesize
68KB

Download
memory/108-403-0x00000000038E0000-0x00000000038F1000-memory.dmp

Filesize
68KB

Download
memory/108-236-0x0000000003210000-0x0000000003221000-memory.dmp

Filesize
68KB

Download
memory/108-237-0x0000000002E00000-0x0000000002E11000-memory.dmp

Filesize
68KB

Download
memory/108-68-0x0000000002E00000-0x0000000002E11000-memory.dmp

Filesize
68KB

Download
memory/108-404-0x00000000034D0000-0x00000000034E1000-memory.dmp

Filesize
68KB

Download
memory/1436-36-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1788-44-0x0000000002730000-0x0000000002734000-memory.dmp

Filesize
16KB

Download