wannacry | 72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Resubmissions

30-12-2019 20:47

191230-nn16lt3qm2 10

30-12-2019 14:17

191230-y8z7sllm8a 10

Analysis

max time kernel
143s
resource
win10v191014
submitted
30-12-2019 20:47

Sharing

Copy URL

Twitter E-mail

General

Target

test.zip
Sample

191230-nn16lt3qm2
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

10^/10

ransomware worm wannacry persistence

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nmsqcsinudawe237 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""

Deletes shadow copies 2 TTPs 2 IoCs

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
740	vssadmin.exe
3948	WMIC.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4912	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	73
PID 4880 wrote to memory of 4928	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	75
PID 4880 wrote to memory of 4236	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	77
PID 4880 wrote to memory of 372	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	78
PID 372 wrote to memory of 4276	372	cmd.exe	80
PID 4880 wrote to memory of 4084	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	87
PID 4880 wrote to memory of 3996	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	88
PID 3996 wrote to memory of 3920	3996	cmd.exe	90
PID 4084 wrote to memory of 3732	4084	@[email protected]	92
PID 4880 wrote to memory of 2512	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	94
PID 4880 wrote to memory of 4856	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	95
PID 4880 wrote to memory of 2336	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	96
PID 4880 wrote to memory of 4772	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	97
PID 4772 wrote to memory of 4944	4772	cmd.exe	99
PID 3920 wrote to memory of 4856	3920	@[email protected]	101
PID 4856 wrote to memory of 740	4856	cmd.exe	104
PID 4856 wrote to memory of 3948	4856	cmd.exe	106
PID 4880 wrote to memory of 1672	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	108
PID 4880 wrote to memory of 1896	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	109
PID 4880 wrote to memory of 1988	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	110
PID 4880 wrote to memory of 4980	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	114
PID 4880 wrote to memory of 4144	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	115
PID 4880 wrote to memory of 3012	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	116
PID 4880 wrote to memory of 3552	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	122
PID 4880 wrote to memory of 3544	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	123
PID 4880 wrote to memory of 4820	4880	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	124

Loads dropped DLL 1 IoCs

pid	Process
3732	taskhsvc.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"

Drops startup file 6 IoCs

description	ioc	Process
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA23E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA23E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA23E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created (read-only)	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA254.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA254.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File deleted	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA254.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 16 IoCs

pid	Process
4236	taskdl.exe
4084	@[email protected]
3920	@[email protected]
3732	taskhsvc.exe
2512	taskdl.exe
4856	taskse.exe
2336	@[email protected]
1672	taskdl.exe
1896	taskse.exe
1988	@[email protected]
4980	taskdl.exe
4144	taskse.exe
3012	@[email protected]
3552	taskse.exe
3544	@[email protected]
4820	taskdl.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4084	@[email protected]
3920	@[email protected]
2336	@[email protected]
1988	@[email protected]
3012	@[email protected]
3544	@[email protected]

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeTcbPrivilege	4856	taskse.exe
Token: SeBackupPrivilege	5052	vssvc.exe
Token: SeRestorePrivilege	5052	vssvc.exe
Token: SeAuditPrivilege	5052	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3948	WMIC.exe
Token: SeSecurityPrivilege	3948	WMIC.exe
Token: SeTakeOwnershipPrivilege	3948	WMIC.exe
Token: SeLoadDriverPrivilege	3948	WMIC.exe
Token: SeSystemProfilePrivilege	3948	WMIC.exe
Token: SeSystemtimePrivilege	3948	WMIC.exe
Token: SeProfSingleProcessPrivilege	3948	WMIC.exe
Token: SeIncBasePriorityPrivilege	3948	WMIC.exe
Token: SeCreatePagefilePrivilege	3948	WMIC.exe
Token: SeBackupPrivilege	3948	WMIC.exe
Token: SeRestorePrivilege	3948	WMIC.exe
Token: SeShutdownPrivilege	3948	WMIC.exe
Token: SeDebugPrivilege	3948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3948	WMIC.exe
Token: SeRemoteShutdownPrivilege	3948	WMIC.exe
Token: SeUndockPrivilege	3948	WMIC.exe
Token: SeManageVolumePrivilege	3948	WMIC.exe
Token: 33	3948	WMIC.exe
Token: 34	3948	WMIC.exe
Token: 35	3948	WMIC.exe
Token: 36	3948	WMIC.exe
Token: SeTcbPrivilege	1896	taskse.exe
Token: SeTcbPrivilege	4144	taskse.exe
Token: SeTcbPrivilege	3552	taskse.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4912	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs

File and Directory Permissions Modification

T1222

pid	Process
4928	icacls.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3732	taskhsvc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4944	reg.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Drops startup file
PID:4880
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:4912
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4928
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 77611577742442.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:4276
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected] co
  2⤵
  - Suspicious use of WriteProcessMemory
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Loads dropped DLL
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] vs
    3⤵
    - Suspicious use of WriteProcessMemory
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Deletes shadow copies
        
        PID:740
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Deletes shadow copies
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4856
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nmsqcsinudawe237" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Modifies registry key
    PID:4944
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3552
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3544
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3732-150-0x0000000003D10000-0x0000000003D11000-memory.dmp

Filesize
4KB

Download
memory/3732-143-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-67-0x0000000003D10000-0x0000000003D11000-memory.dmp

Filesize
4KB

Download
memory/3732-68-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-71-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-77-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-78-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-87-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-91-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-102-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-115-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-64-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-149-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-314-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/3732-240-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-151-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-213-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3732-320-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/3732-316-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/3732-315-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/4880-36-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download