Overview

overview

10

Static

static

10

WannaCry/H...c1.dll

windows7_x64

1

WannaCry/H...c1.dll

windows10_x64

1

WannaCry/H...81.dll

windows7_x64

10

WannaCry/H...81.dll

windows10_x64

10

WannaCry/T...7f.dll

windows7_x64

10

WannaCry/T...7f.dll

windows10_x64

10

WannaCry/T...71.dll

windows7_x64

10

WannaCry/T...71.dll

windows10_x64

10

WannaCry/T...02.dll

windows7_x64

10

WannaCry/T...02.dll

windows10_x64

10

WannaCry/T...2f.dll

windows7_x64

10

WannaCry/T...2f.dll

windows10_x64

10

WannaCry/T...a6.dll

windows7_x64

10

WannaCry/T...a6.dll

windows10_x64

10

WannaCry/T...3f.dll

windows7_x64

10

WannaCry/T...3f.dll

windows10_x64

10

WannaCry/T...66.dll

windows7_x64

10

WannaCry/T...66.dll

windows10_x64

10

WannaCry/T...ba.dll

windows7_x64

10

WannaCry/T...ba.dll

windows10_x64

10

WannaCry/T...37.dll

windows7_x64

WannaCry/T...37.dll

windows10_x64

10

WannaCry/T...10.dll

windows7_x64

10

WannaCry/T...10.dll

windows10_x64

10

WannaCry/T...f2.dll

windows7_x64

10

WannaCry/T...f2.dll

windows10_x64

10

WannaCry/T...af.dll

windows7_x64

10

WannaCry/T...af.dll

windows10_x64

10

WannaCry/T...40.dll

windows7_x64

10

WannaCry/T...40.dll

windows10_x64

10

WannaCry/T...81.dll

windows7_x64

10

WannaCry/T...81.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    WannaCry.7z

  • Size

    81.8MB

  • Sample

    201226-4cfq4gn5a2

  • MD5

    0ef6a4c8e7a818e81ed5053275545d7a

  • SHA1

    896ad9f448388b0d0311a6f4488aa081e970bca0

  • SHA256

    edd1fbcf42000838a7cb6bc32d4f41d8c2f894c0e749f0239b238d0432d0bf92

  • SHA512

    21cab89ae8bb2f1d5d2fea9d0d6f3bebc2c3157876cd17328f7dafc13ee8e56dd34cc0afef87fadc90540dad25f41d54889da2dc9eccd9c6eaa20ae2d2dd5314

Score
10/10
metasploitwannacrybackdoorevasionransomwaretrojanworm

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Targets

    • Target

      WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1

    • Size

      69KB

    • MD5

      02c5f1515bf42798728fac17bfe1e4c1

    • SHA1

      3ec5ae59a7182bb8444e858e8cb0c853da5f583e

    • SHA256

      532f2872fa75cf8b0d8d206955478324a4d23b8c88d7f3a93e567a962806ef9d

    • SHA512

      415d717dd59e30d1aa1ba48c08af52c44edd6ce879ac18eb9b57b74d274e4462836068bf14ac3a6dc3f1fe7fe799abe9ac711d95dada78073cb96d8ce2264b19

    Score
    1/10
    behavioral1behavioral2

    • Target

      WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81

    • Size

      5KB

    • MD5

      fc4bb3140f35cc8abd681b63096e7b81

    • SHA1

      0946eff5c8cb8bca76dc0702e15076a332929439

    • SHA256

      89c3af5318ed0d9de1f320f94152a6730a6a3cbef53593e2a23765da015132d9

    • SHA512

      8848e247ece3f51de90c35b93902b46ae4099f611a056b2cf4431f7251296939647f1b964b948a578cba2aa74b4b4123a7a2e05e696e9941eecdb3aebf11be29

    Score
    10/10
    metasploitbackdoortrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Use of msiexec (install) with remote resource

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f

    • Size

      5.0MB

    • MD5

      01bdc6fb077098f4a3b60f4b0e479a7f

    • SHA1

      61acc362327a7df8f7672b905c62414f769beb61

    • SHA256

      35c0e0c0e70565cfdc78ac708e122c2f65059ea337216418d674a343da90927e

    • SHA512

      1c1adcf76854c615cd80ff489845c3261ff3de5f6dd1374527cdd5e00ecb0510a4a03df554f4299dd786d8d3abc6a3f7ad9ecda3cfed6e19b00c6cf30321bab5

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral5behavioral6

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871

    • Size

      5.0MB

    • MD5

      033f9150e241e7accecb60d849481871

    • SHA1

      09067fd23539df1ece704a92b2dca8e32f20f7c8

    • SHA256

      5013a9fc3766f0c065d44c9f6a6a8c0101811d7df4860dd50cf627a0d28ed007

    • SHA512

      e08d2eb9edacbda6dfc7b2a153eaa7f38fe967876df28230e0cc88d3511d8f867f32314f49e761f402d1ff6f10fb411546ca549d855d9676992788670d512015

    Score
    10/10
    wannacryransomwarewormevasion

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral7behavioral8

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702

    • Size

      5.0MB

    • MD5

      0ab2aeda90221832167e5127332dd702

    • SHA1

      f370045d8ac3f4ba78acf8bfe4c4d35758d5ea05

    • SHA256

      64bb708b31b4b043018457c1098465ea83da7d6408c7029b2f68c333fc25891c

    • SHA512

      8062093734b11fdd2a8650bfcbc22f36aa679103e7a7ebee74db1ecfcdbf9d9bf76d105f395308db713746dbadacc5796db85ab883a4187587f03b2d3cf7b75b

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral9behavioral10

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f

    • Size

      5.0MB

    • MD5

      0ab9a60a55cb40fc338e8f4988feee2f

    • SHA1

      40b02f6f1d79200e8c2cca3123f08994b06cc0cf

    • SHA256

      8fb8affd012c7c103942c3c544ca7a2e31375428bb6cd17fbd49a6be08e47103

    • SHA512

      ccf39f7923768037e823a5f3ddfc0895bb244c35a39d5199cbcd6a830e1544c56e3aa322cf7ede0fa8332ce6925a01755c9e1606dddb308c5e6f63b855e2ae11

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral11behavioral12

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6

    • Size

      5.0MB

    • MD5

      0d95f3f64e7782ec7acd3a1b76c276a6

    • SHA1

      c9301e03c44831417d5afad96921e565577c08cf

    • SHA256

      0b352401619b8b6375dd37ba94a8b73526f428631ac12145858a94ce354b5ddc

    • SHA512

      2e0c5066169488d18fe4dd4981e90066ddf66ab0aa2dab41aecd0e444e595894bd418ab896503d4b2fbee98f9c13506911561e11f881117a74e9e1017eca6eb0

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral13behavioral14

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f

    • Size

      5.0MB

    • MD5

      106e21fb736cb4e7a18a1746ef18e03f

    • SHA1

      77a6da4aba3f6f0f8da2d5a5d646d295ca0fb088

    • SHA256

      54d4b7ac7bafcf657cceb0ba8231d287065a1da82f9cc8dbf4077be950bf3d8e

    • SHA512

      0056a56bb4a95743232034ea6db0fe692c43751c4854b1695cf82989be82c987e64fa48448cc07516409f3e50c0ae9c0b6ccefb37b504cc3f7a05334a5f6e7cb

    Score
    10/10
    wannacryransomwarewormevasion

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066

    • Size

      5.0MB

    • MD5

      1147f2c00d4bfd70169fe034c5965066

    • SHA1

      9980fd5980bd588e0208b3bfd369ce2736a808b8

    • SHA256

      9b96dfe280eea60d7b0c309cdf41828f486f4f4d541953874763fdd81d5fb2ef

    • SHA512

      2e16bdf113d151397b3b4ffe1cdba6c4dbe9fdfc126e9095c2d2c97cf4261d45354dccfc6ceaa0b4a46e58b54d8b4ccd607f536b324af7c155e2564a315b7081

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral17behavioral18

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba

    • Size

      5.0MB

    • MD5

      12cb506898dac8a271c8b940a9a3dfba

    • SHA1

      9c725b90c61f8c50d8f43e3f353e2874e9e8297b

    • SHA256

      06397866c0315d894b742ff60416ca0c734344d9586752a6ee35279bb2907cd0

    • SHA512

      03c1eb1f3d4232e08a718feb48b87535be6fba7aba752fed909d4933e9654ee1fa3a6909eaf5da312dfe6e16d1c33433f0b11f840d6e3559652b6e98ebc05589

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral19behavioral20

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937

    • Size

      5.0MB

    • MD5

      1d6958990c8c4f5b9b93efa692b84937

    • SHA1

      58bc6052ee6a13dc4711ca73df029a694f6e7239

    • SHA256

      716954bdf4ef6882a71c8f2aa3981190da7777b50a3988069bb68eed17c7ddc8

    • SHA512

      cb1445e197763d3ae28e8b7186a5f57cd8f34cbcba7c627d7004eb6dddbca67526ae721aff62d26c21b3585c0caef698b236194c90619c970099a5eced8d2682

    Score
    10/10
    wannacryevasionransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral21behavioral22

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010

    • Size

      5.0MB

    • MD5

      1e8e8eb9b0c25208b5c83be09430c010

    • SHA1

      be0ed07c7ec11f091b5a351bde73f78458d8c8e3

    • SHA256

      ba40208a38500e7c001fede2b264ae758e115750c80384f67ed4163edc5d2644

    • SHA512

      51ea750fa7e9a0b3ef8e9088e70ade172a80a860a471a1cbce004628ab6866fbe882d7f1091da9c169473751defb826045bfc5aef227d9d8c85a14d0c217a8dc

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral23behavioral24

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2

    • Size

      5.0MB

    • MD5

      29a9dd686f08aacddacc43a0c57215f2

    • SHA1

      3ed8902c24568adafc3ac35d9b4c92ba02406e8c

    • SHA256

      02e4a7ebf81840f41a3c8b5e330a37977b7783120ed12deca77d30825266810d

    • SHA512

      28234611882e8facdb6feb0072d72d4c8790d57a2b5eba33074f914a0a04ee4d95f50a4c9038c04526db37b5678e5d53363fb3f0ea168e13d948aa950e0fc4d4

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral25behavioral26

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf

    • Size

      5.0MB

    • MD5

      2a13081acf353142a3e792683520cfaf

    • SHA1

      9ced5f6260a5b508a6226693936a7d8f2308db27

    • SHA256

      4c44d1c79e5f6f15d7dd3416f79e4fadb669c32615ab234767b506a8116e44f0

    • SHA512

      ab9cee7fa2c4ee3a58031a82ea275c13d72a0399c2cc889170715e334cff8760be7fd8ee90a77128cdacbf4c6f3538f391f5c9d595653be24cfa0dacb947a210

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral27behavioral28

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440

    • Size

      5.0MB

    • MD5

      2e5a8ac5174219bcb08d7449e43b1440

    • SHA1

      85b598ce3a40735b1dbb489decfae29ff2bcf319

    • SHA256

      f83fb171610f8e38b41401f44c58d3448966fb5a15dedc04a8a015d6d6ac6767

    • SHA512

      2a66da1f7ae9a007276499bbd025a760897a98a7a315225b555f89c63889e90e1f4415c4e434f5097c441d9d7cf1a6b61a24c03936a0f2b84b7ae4cc6f006eec

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral29behavioral30

    • Target

      WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881

    • Size

      5.0MB

    • MD5

      2f76b88b420003516f90062940ef7881

    • SHA1

      08b943a7b7f4d368ed0c66afa4c98087be5efd4b

    • SHA256

      1c4a7589d26c97c38d4f826242b6740b35441e43ddd7394d399dbf94ab868483

    • SHA512

      b3e9d92ec825adbb0cc05d65515a89c16b8af05b0dbaebca4f347d4c1e445c3722b0331be495c3eba0eeb0cb610b4fc60525b81ca1b97e50a27363870cc6596c

    Score
    10/10
    wannacryransomwareworm

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Executes dropped EXE

    • Drops file in System32 directory

    behavioral31behavioral32

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

3
T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

3
T1070

File Deletion

9
T1107

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

3
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

12
T1490

Tasks

static1

metasploit
Score
10/10

behavioral1

Score
1/10

behavioral2

Score
1/10

behavioral3

metasploitbackdoortrojan
Score
10/10

behavioral4

metasploitbackdoortrojan
Score
10/10

behavioral5

wannacryransomwareworm
Score
10/10

behavioral6

wannacryransomwareworm
Score
10/10

behavioral7

wannacryransomwareworm
Score
10/10

behavioral8

wannacryevasionransomwareworm
Score
10/10

behavioral9

wannacryransomwareworm
Score
10/10

behavioral10

wannacryransomwareworm
Score
10/10

behavioral11

wannacryransomwareworm
Score
10/10

behavioral12

wannacryransomwareworm
Score
10/10

behavioral13

wannacryransomwareworm
Score
10/10

behavioral14

wannacryransomwareworm
Score
10/10

behavioral15

wannacryransomwareworm
Score
10/10

behavioral16

wannacryevasionransomwareworm
Score
10/10

behavioral17

wannacryransomwareworm
Score
10/10

behavioral18

wannacryransomwareworm
Score
10/10

behavioral19

wannacryransomwareworm
Score
10/10

behavioral20

wannacryransomwareworm
Score
10/10

behavioral21

Score
1/10

behavioral22

wannacryevasionransomwareworm
Score
10/10

behavioral23

wannacryransomwareworm
Score
10/10

behavioral24

wannacryransomwareworm
Score
10/10

behavioral25

wannacryransomwareworm
Score
10/10

behavioral26

wannacryransomwareworm
Score
10/10

behavioral27

wannacryransomwareworm
Score
10/10

behavioral28

wannacryransomwareworm
Score
10/10

behavioral29

wannacryransomwareworm
Score
10/10

behavioral30

wannacryransomwareworm
Score
10/10

behavioral31

wannacryransomwareworm
Score
10/10

behavioral32

wannacryransomwareworm
Score
10/10