wannacry | c1423615b067edb1cf5c478d761a78682208833568f45654cf1dbb06fd11825b

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7v20201028
submitted
04-11-2020 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WANACRYPTOR.bin.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Score

10^/10

wannacry discovery persistence ransomware spyware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Executes dropped EXE 15 IoCs

pid	Process
280	taskdl.exe
1416	@[email protected]
316	taskhsvc.exe
864	taskse.exe
1012	@[email protected]
1836	taskdl.exe
1952	taskdl.exe
1040	taskse.exe
1860	@[email protected]
1548	taskse.exe
1552	@[email protected]
1084	taskdl.exe
600	taskse.exe
920	@[email protected]
1976	taskdl.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CompareUninstall.png.WNCRY	WANACRYPTOR.bin.exe
File created	C:\Users\Admin\Pictures\ExpandDeny.png.WNCRYT	WANACRYPTOR.bin.exe
File renamed	C:\Users\Admin\Pictures\ExpandDeny.png.WNCRYT => C:\Users\Admin\Pictures\ExpandDeny.png.WNCRY	WANACRYPTOR.bin.exe
File created	C:\Users\Admin\Pictures\ResizeGroup.png.WNCRYT	WANACRYPTOR.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ResizeGroup.png.WNCRY	WANACRYPTOR.bin.exe
File created	C:\Users\Admin\Pictures\CompareUninstall.png.WNCRYT	WANACRYPTOR.bin.exe
File renamed	C:\Users\Admin\Pictures\CompareUninstall.png.WNCRYT => C:\Users\Admin\Pictures\CompareUninstall.png.WNCRY	WANACRYPTOR.bin.exe
File opened for modification	C:\Users\Admin\Pictures\ExpandDeny.png.WNCRY	WANACRYPTOR.bin.exe
File renamed	C:\Users\Admin\Pictures\ResizeGroup.png.WNCRYT => C:\Users\Admin\Pictures\ResizeGroup.png.WNCRY	WANACRYPTOR.bin.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8CE7.tmp	WANACRYPTOR.bin.exe

Loads dropped DLL 39 IoCs

pid	Process
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1588	cscript.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
580	cmd.exe
580	cmd.exe
1416	@[email protected]
1416	@[email protected]
316	taskhsvc.exe
316	taskhsvc.exe
316	taskhsvc.exe
316	taskhsvc.exe
316	taskhsvc.exe
316	taskhsvc.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe
1816	WANACRYPTOR.bin.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2000	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\hbntsshfevel836 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

JavaScript code in executable 5 IoCs

resource	yara_rule
behavioral1/files/0x00030000000132a8-63.dat	js
behavioral1/files/0x00030000000132a8-61.dat	js
behavioral1/files/0x00030000000132a8-60.dat	js
behavioral1/files/0x000300000001329f-70.dat	js
behavioral1/files/0x000300000001329f-71.dat	js

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WANACRYPTOR.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
920	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
316	taskhsvc.exe
316	taskhsvc.exe
316	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1012	@[email protected]

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeTcbPrivilege	864	taskse.exe
Token: SeTcbPrivilege	864	taskse.exe
Token: SeTcbPrivilege	1040	taskse.exe
Token: SeTcbPrivilege	1040	taskse.exe
Token: SeTcbPrivilege	1548	taskse.exe
Token: SeTcbPrivilege	1548	taskse.exe
Token: SeTcbPrivilege	600	taskse.exe
Token: SeTcbPrivilege	600	taskse.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1416	@[email protected]
1416	@[email protected]
1012	@[email protected]
1012	@[email protected]
1860	@[email protected]
1552	@[email protected]
920	@[email protected]

Suspicious use of WriteProcessMemory 92 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1316	1816	WANACRYPTOR.bin.exe	26
PID 1816 wrote to memory of 1316	1816	WANACRYPTOR.bin.exe	26
PID 1816 wrote to memory of 1316	1816	WANACRYPTOR.bin.exe	26
PID 1816 wrote to memory of 1316	1816	WANACRYPTOR.bin.exe	26
PID 1816 wrote to memory of 2000	1816	WANACRYPTOR.bin.exe	28
PID 1816 wrote to memory of 2000	1816	WANACRYPTOR.bin.exe	28
PID 1816 wrote to memory of 2000	1816	WANACRYPTOR.bin.exe	28
PID 1816 wrote to memory of 2000	1816	WANACRYPTOR.bin.exe	28
PID 1816 wrote to memory of 280	1816	WANACRYPTOR.bin.exe	33
PID 1816 wrote to memory of 280	1816	WANACRYPTOR.bin.exe	33
PID 1816 wrote to memory of 280	1816	WANACRYPTOR.bin.exe	33
PID 1816 wrote to memory of 280	1816	WANACRYPTOR.bin.exe	33
PID 1816 wrote to memory of 1480	1816	WANACRYPTOR.bin.exe	34
PID 1816 wrote to memory of 1480	1816	WANACRYPTOR.bin.exe	34
PID 1816 wrote to memory of 1480	1816	WANACRYPTOR.bin.exe	34
PID 1816 wrote to memory of 1480	1816	WANACRYPTOR.bin.exe	34
PID 1480 wrote to memory of 1588	1480	cmd.exe	36
PID 1480 wrote to memory of 1588	1480	cmd.exe	36
PID 1480 wrote to memory of 1588	1480	cmd.exe	36
PID 1480 wrote to memory of 1588	1480	cmd.exe	36
PID 1816 wrote to memory of 1416	1816	WANACRYPTOR.bin.exe	38
PID 1816 wrote to memory of 1416	1816	WANACRYPTOR.bin.exe	38
PID 1816 wrote to memory of 1416	1816	WANACRYPTOR.bin.exe	38
PID 1816 wrote to memory of 1416	1816	WANACRYPTOR.bin.exe	38
PID 1816 wrote to memory of 580	1816	WANACRYPTOR.bin.exe	39
PID 1816 wrote to memory of 580	1816	WANACRYPTOR.bin.exe	39
PID 1816 wrote to memory of 580	1816	WANACRYPTOR.bin.exe	39
PID 1816 wrote to memory of 580	1816	WANACRYPTOR.bin.exe	39
PID 580 wrote to memory of 376	580	cmd.exe	41
PID 580 wrote to memory of 376	580	cmd.exe	41
PID 580 wrote to memory of 376	580	cmd.exe	41
PID 580 wrote to memory of 376	580	cmd.exe	41
PID 1416 wrote to memory of 316	1416	@[email protected]	42
PID 1416 wrote to memory of 316	1416	@[email protected]	42
PID 1416 wrote to memory of 316	1416	@[email protected]	42
PID 1416 wrote to memory of 316	1416	@[email protected]	42
PID 1816 wrote to memory of 864	1816	WANACRYPTOR.bin.exe	44
PID 1816 wrote to memory of 864	1816	WANACRYPTOR.bin.exe	44
PID 1816 wrote to memory of 864	1816	WANACRYPTOR.bin.exe	44
PID 1816 wrote to memory of 864	1816	WANACRYPTOR.bin.exe	44
PID 1816 wrote to memory of 1012	1816	WANACRYPTOR.bin.exe	45
PID 1816 wrote to memory of 1012	1816	WANACRYPTOR.bin.exe	45
PID 1816 wrote to memory of 1012	1816	WANACRYPTOR.bin.exe	45
PID 1816 wrote to memory of 1012	1816	WANACRYPTOR.bin.exe	45
PID 1816 wrote to memory of 1484	1816	WANACRYPTOR.bin.exe	46
PID 1816 wrote to memory of 1484	1816	WANACRYPTOR.bin.exe	46
PID 1816 wrote to memory of 1484	1816	WANACRYPTOR.bin.exe	46
PID 1816 wrote to memory of 1484	1816	WANACRYPTOR.bin.exe	46
PID 1816 wrote to memory of 1836	1816	WANACRYPTOR.bin.exe	47
PID 1816 wrote to memory of 1836	1816	WANACRYPTOR.bin.exe	47
PID 1816 wrote to memory of 1836	1816	WANACRYPTOR.bin.exe	47
PID 1816 wrote to memory of 1836	1816	WANACRYPTOR.bin.exe	47
PID 1484 wrote to memory of 920	1484	cmd.exe	49
PID 1484 wrote to memory of 920	1484	cmd.exe	49
PID 1484 wrote to memory of 920	1484	cmd.exe	49
PID 1484 wrote to memory of 920	1484	cmd.exe	49
PID 1816 wrote to memory of 1952	1816	WANACRYPTOR.bin.exe	50
PID 1816 wrote to memory of 1952	1816	WANACRYPTOR.bin.exe	50
PID 1816 wrote to memory of 1952	1816	WANACRYPTOR.bin.exe	50
PID 1816 wrote to memory of 1952	1816	WANACRYPTOR.bin.exe	50
PID 1816 wrote to memory of 1040	1816	WANACRYPTOR.bin.exe	51
PID 1816 wrote to memory of 1040	1816	WANACRYPTOR.bin.exe	51
PID 1816 wrote to memory of 1040	1816	WANACRYPTOR.bin.exe	51
PID 1816 wrote to memory of 1040	1816	WANACRYPTOR.bin.exe	51
PID 1816 wrote to memory of 1860	1816	WANACRYPTOR.bin.exe	52
PID 1816 wrote to memory of 1860	1816	WANACRYPTOR.bin.exe	52
PID 1816 wrote to memory of 1860	1816	WANACRYPTOR.bin.exe	52
PID 1816 wrote to memory of 1860	1816	WANACRYPTOR.bin.exe	52
PID 1816 wrote to memory of 1548	1816	WANACRYPTOR.bin.exe	53
PID 1816 wrote to memory of 1548	1816	WANACRYPTOR.bin.exe	53
PID 1816 wrote to memory of 1548	1816	WANACRYPTOR.bin.exe	53
PID 1816 wrote to memory of 1548	1816	WANACRYPTOR.bin.exe	53
PID 1816 wrote to memory of 1552	1816	WANACRYPTOR.bin.exe	54
PID 1816 wrote to memory of 1552	1816	WANACRYPTOR.bin.exe	54
PID 1816 wrote to memory of 1552	1816	WANACRYPTOR.bin.exe	54
PID 1816 wrote to memory of 1552	1816	WANACRYPTOR.bin.exe	54
PID 1816 wrote to memory of 1084	1816	WANACRYPTOR.bin.exe	55
PID 1816 wrote to memory of 1084	1816	WANACRYPTOR.bin.exe	55
PID 1816 wrote to memory of 1084	1816	WANACRYPTOR.bin.exe	55
PID 1816 wrote to memory of 1084	1816	WANACRYPTOR.bin.exe	55
PID 1816 wrote to memory of 600	1816	WANACRYPTOR.bin.exe	56
PID 1816 wrote to memory of 600	1816	WANACRYPTOR.bin.exe	56
PID 1816 wrote to memory of 600	1816	WANACRYPTOR.bin.exe	56
PID 1816 wrote to memory of 600	1816	WANACRYPTOR.bin.exe	56
PID 1816 wrote to memory of 920	1816	WANACRYPTOR.bin.exe	57
PID 1816 wrote to memory of 920	1816	WANACRYPTOR.bin.exe	57
PID 1816 wrote to memory of 920	1816	WANACRYPTOR.bin.exe	57
PID 1816 wrote to memory of 920	1816	WANACRYPTOR.bin.exe	57
PID 1816 wrote to memory of 1976	1816	WANACRYPTOR.bin.exe	58
PID 1816 wrote to memory of 1976	1816	WANACRYPTOR.bin.exe	58
PID 1816 wrote to memory of 1976	1816	WANACRYPTOR.bin.exe	58
PID 1816 wrote to memory of 1976	1816	WANACRYPTOR.bin.exe	58

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1316	attrib.exe

C:\Users\Admin\AppData\Local\Temp\WANACRYPTOR.bin.exe
"C:\Users\Admin\AppData\Local\Temp\WANACRYPTOR.bin.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:1316
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2000
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 206411604464764.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - Loads dropped DLL
    PID:1588
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Users\Admin\AppData\Local\Temp\@[email protected]
    @[email protected] vs
    3⤵
    PID:376
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbntsshfevel836" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbntsshfevel836" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:920
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Users\Admin\AppData\Local\Temp\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Users\Admin\AppData\Local\Temp\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:920
- C:\Users\Admin\AppData\Local\Temp\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-160-0x00000000030A0000-0x00000000030B1000-memory.dmp

Filesize
68KB

Download
memory/316-76-0x0000000002C90000-0x0000000002CA1000-memory.dmp

Filesize
68KB

Download
memory/316-243-0x0000000003890000-0x00000000038A1000-memory.dmp

Filesize
68KB

Download
memory/316-244-0x0000000003480000-0x0000000003491000-memory.dmp

Filesize
68KB

Download
memory/316-77-0x00000000030A0000-0x00000000030B1000-memory.dmp

Filesize
68KB

Download
memory/316-159-0x0000000002C90000-0x0000000002CA1000-memory.dmp

Filesize
68KB

Download
memory/316-78-0x0000000002C90000-0x0000000002CA1000-memory.dmp

Filesize
68KB

Download
memory/316-161-0x0000000002C90000-0x0000000002CA1000-memory.dmp

Filesize
68KB

Download
memory/316-242-0x0000000003480000-0x0000000003491000-memory.dmp

Filesize
68KB

Download
memory/1012-339-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1588-49-0x0000000002750000-0x0000000002754000-memory.dmp

Filesize
16KB

Download
memory/1816-4-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download