Overview

overview

10

task1

 

10

task2

 

10

Resubmissions

30-12-2019 20:47

191230-nn16lt3qm2 10

30-12-2019 14:17

191230-y8z7sllm8a 10

Analysis

  • max time kernel
    142s
  • resource
    win7v191014
  • submitted
    30-12-2019 20:47

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.zip

  • Sample

    191230-nn16lt3qm2

  • SHA256

    72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score
10/10
persistenceransomwarewormwannacry

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Deletes shadow copies 2 TTPs 2 IoCs
    ransomware
  • Drops startup file 6 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Loads dropped DLL 5 IoCs
  • Executes dropped EXE 16 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
    "C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    • Loads dropped DLL
    PID:1536
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      2⤵
      • Views/modifies file attributes
      PID:1100
    • C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:1052
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:1980
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c 71971577742443.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\SysWOW64\cscript.exe
        cscript.exe //nologo m.vbs
        3⤵
        • Loads dropped DLL
        PID:1072
    • C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      @WanaDecryptor@.exe co
      2⤵
      • Suspicious use of WriteProcessMemory
      • Loads dropped DLL
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1976
      • C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
        TaskData\Tor\taskhsvc.exe
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Loads dropped DLL
        • Executes dropped EXE
        PID:1160
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @WanaDecryptor@.exe vs
      2⤵
      • Suspicious use of WriteProcessMemory
      • Loads dropped DLL
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
        @WanaDecryptor@.exe vs
        3⤵
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1696
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1560
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Deletes shadow copies
            PID:1200
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Deletes shadow copies
            • Suspicious use of AdjustPrivilegeToken
            PID:1052
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:1696
    • C:\Users\Admin\AppData\Local\Temp\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Executes dropped EXE
      PID:1092
    • C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      @WanaDecryptor@.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1408
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1468
      • C:\Windows\SysWOW64\reg.exe
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ftqqepmlkbmm513" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        3⤵
        • Modifies registry key
        PID:1924
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:1392
    • C:\Users\Admin\AppData\Local\Temp\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Executes dropped EXE
      PID:1052
    • C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      @WanaDecryptor@.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1972
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:1624
    • C:\Users\Admin\AppData\Local\Temp\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Executes dropped EXE
      PID:764
    • C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      @WanaDecryptor@.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1712
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:1304
    • C:\Users\Admin\AppData\Local\Temp\taskse.exe
      taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Executes dropped EXE
      PID:568
    • C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
      @WanaDecryptor@.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:904
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

File Deletion

1
T1107

Modify Registry

3
T1112

File Permissions Modification

1
T1222

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Replay Monitor

Loading Replay Monitor...

Downloads