Overview

overview

10

task1

 

10

task2

 

10

Analysis

  • max time kernel
    142s
  • resource
    win7v191014
  • submitted
    10-12-2019 16:22

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wannacry.exe

  • Sample

    191210-eg6ml5hv4x

  • SHA256

    ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Score
10/10
ransomwarepersistencewormwannacry

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

  • Deletes shadow copies 2 TTPs 2 IoCs
    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Loads dropped DLL 5 IoCs
  • Executes dropped EXE 16 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • Drops startup file 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies registry key 1 TTPs 1 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion
  • Modifies file permissions 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry

Processes

  • C:\Users\Admin\AppData\Local\Temp\wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\wannacry.exe"
    1⤵
    • Loads dropped DLL
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      2⤵
      • Views/modifies file attributes
      PID:316
    • C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:824
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:1896
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c 183031575998536.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\SysWOW64\cscript.exe
        cscript.exe //nologo m.vbs
        3⤵
        • Loads dropped DLL
        PID:824
    • C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected] co
      2⤵
      • Loads dropped DLL
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
        TaskData\Tor\taskhsvc.exe
        3⤵
        • Loads dropped DLL
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1888
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Users\Admin\AppData\Local\Temp\@[email protected]
        @[email protected] vs
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1444
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Deletes shadow copies
            PID:600
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Deletes shadow copies
            • Suspicious use of AdjustPrivilegeToken
            PID:1104
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:988
    • C:\Users\Admin\AppData\Local\Temp\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1228
    • C:\Users\Admin\AppData\Local\Temp\@[email protected]
      @[email protected]
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1904
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1880
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        3⤵
        • Modifies registry key
        PID:2004
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:600
    • C:\Users\Admin\AppData\Local\Temp\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1748
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:1676
    • C:\Users\Admin\AppData\Local\Temp\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:516
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:732
    • C:\Users\Admin\AppData\Local\Temp\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:984
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "322372338-141076211-1503080421-146637913-1448740906-34692126-16420535131527021419"
    1⤵
      PID:1368
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-12734847781643596584423841872201330664-58296503-2063759584-1024489525693646570"
      1⤵
        PID:1316
      • C:\Windows\system32\conhost.exe
        \??\C:\Windows\system32\conhost.exe "8856289761894114187-9275907881847916772-547314771133916279919147055511677561116"
        1⤵
          PID:836
        • C:\Windows\system32\conhost.exe
          \??\C:\Windows\system32\conhost.exe "-746470925-82865348318295620611441479411-19454052101354562987546870319-287147619"
          1⤵
            PID:600
          • C:\Windows\system32\conhost.exe
            \??\C:\Windows\system32\conhost.exe "52339743317912531191533318485-1838379674-17789183812137366404-20843443491741399060"
            1⤵
              PID:1304
            • C:\Windows\system32\conhost.exe
              \??\C:\Windows\system32\conhost.exe "-13183247171887289118-162751310421076480381408615530746642015-1093837671-755781354"
              1⤵
                PID:1424
              • C:\Windows\system32\conhost.exe
                \??\C:\Windows\system32\conhost.exe "-1402657853-833023408-129039501011449234881236233584-11662924751590932601802886852"
                1⤵
                  PID:1616
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1324

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/824-44-0x0000000002760000-0x0000000002764000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1044-36-0x0000000010000000-0x0000000010010000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1888-237-0x0000000002910000-0x0000000002921000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1888-70-0x0000000002910000-0x0000000002921000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1888-69-0x0000000002D20000-0x0000000002D31000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1888-235-0x0000000002910000-0x0000000002921000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1888-236-0x0000000002D20000-0x0000000002D31000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1888-68-0x0000000002910000-0x0000000002921000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1888-402-0x0000000003100000-0x0000000003111000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1888-403-0x0000000003510000-0x0000000003521000-memory.dmp

                  Filesize

                  68KB

                  Download

                • memory/1888-404-0x0000000003100000-0x0000000003111000-memory.dmp

                  Filesize

                  68KB

                  Download