wannacry | c2e8eab84c23134e367654536c0e40144e4c1c7ad5aaa09443dca439203bfca6 | Triage

Sharing

General

Target

5899865358630912.zip
Size

4.9MB
Sample

210420-z5xebctccj
MD5

2ab7983de254a6adda7fce7dd1bf5478
SHA1

7e89bd47ed041bb67c4270357be93b88332a9a5f
SHA256

c2e8eab84c23134e367654536c0e40144e4c1c7ad5aaa09443dca439203bfca6
SHA512

acdc627b990a543d2514e2a1547f067edc14eaa03296f0575f5f1fca83b3e7793c3e3495a2879602202312198e4b6464e6ade57b11e534e3e2fd7469c9a13342

Score

10^/10

wannacry evasion ransomware trojan upx worm

Malware Config

Targets

- Target
  
  047c2a3d2157d2ee24ebe9b9b74148c1e4e29a3eacf1d1145faf785361afb4d8
- Size
  
  407KB
- MD5
  
  4698544b9533d620f28d25ca14a8f92b
- SHA1
  
  bbe0896a3360084ea2cbd06f5a5780f7df3ad6f2
- SHA256
  
  047c2a3d2157d2ee24ebe9b9b74148c1e4e29a3eacf1d1145faf785361afb4d8
- SHA512
  
  af9d5a0db07c603534b28d18fe805a6cfa66969c0db74ceb4038ef0101acf2a0d7e7e3a781b1795084a89561d16021a645f6147850caefd31b04bb808e3f59ad
Score

10^/10
- Suspicious use of NtCreateProcessExOtherParentProcess
behavioral1 behavioral2
- Target
  
  187449ec20d9ad83a5d62f78d7eb090a04950ce4b5ec635ed0cf8748d23689d7
- Size
  
  111KB
- MD5
  
  727716c6c4281a2cbb9e8eaeedf954fd
- SHA1
  
  2e831e36171a4e78a5fdccb66df50393e9fe846d
- SHA256
  
  187449ec20d9ad83a5d62f78d7eb090a04950ce4b5ec635ed0cf8748d23689d7
- SHA512
  
  2cefa7af9779feb50ffd3413c51792975eeb97b7eccede39c4d0916acfb29c4ad294ea65e48a85b4d522bb0f59578ae0025f1cc648875ed4b6c11c11b17658ea
Score

10^/10

evasion trojan upx
- Modifies firewall policy service
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
behavioral3 behavioral4
- Target
  
  1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53
- Size
  
  636KB
- MD5
  
  4a4958ffe77c82041421024861cf0cc9
- SHA1
  
  c4c371f190c7363c8d0e6675702338f11214ea09
- SHA256
  
  1c222584eda989738779e1b914ec20bf428ad0db3683ca71f43f8a80c4494d53
- SHA512
  
  ac05159733601ffecfab34cba6a5465ca553e035046c50361784409d2b779bcb40c2f05bf0fa749fd2470cae20675cd04d9c46dc6977e46b7d27fff3ae2226e5
Score

10^/10

evasion
- Modifies firewall policy service
  evasion
- Suspicious use of NtCreateProcessExOtherParentProcess
behavioral5 behavioral6
- Target
  
  2b91b538f8fa67a38ef97641ce192ce737b0f2e13480c83ad666f3fa3e82f3da
- Size
  
  3.7MB
- MD5
  
  b110105b9654c61d6edc641c1b1c45d6
- SHA1
  
  a7ea2f9311cde3165d37b338588aaad276f3e7d0
- SHA256
  
  2b91b538f8fa67a38ef97641ce192ce737b0f2e13480c83ad666f3fa3e82f3da
- SHA512
  
  99b924113b5e036766d8538e290a10cfa1b6ebcc70a4dceb2fb48396290ab35e45920e6a90f8234d5fff2559d317880f157fcfc3a105e871f8c750291b477b11
Score

10^/10

wannacry ransomware worm evasion
- Modifies firewall policy service
  evasion
- Suspicious use of NtCreateProcessExOtherParentProcess
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Drops file in System32 directory
behavioral7 behavioral8
- Target
  
  5a51cd846336f4900789df0f28e15b90c6eb9228c08105dd842ab58fd0e33af8
- Size
  
  172KB
- MD5
  
  c7e4fd60b85fd0bb459dd25d18ed9ba3
- SHA1
  
  c06f3398ab9f1f4b2c3f0efe10a35c4637e0a451
- SHA256
  
  5a51cd846336f4900789df0f28e15b90c6eb9228c08105dd842ab58fd0e33af8
- SHA512
  
  49ed2cbaf611e4d77b9799870d66809f92a653642f280639b48584a969192c45ed642f82e9dbf89a518d8c21f78ec45586e59d95c26babf4472e470a226598e5
Score

10^/10

evasion trojan
- Modifies firewall policy service
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
behavioral9 behavioral10
- Target
  
  684f7a95584e49ee72624e94d79137b53e329d8ccc8909357d83b1a45fd0beab
- Size
  
  96KB
- MD5
  
  c2162c5414dbfbf711552f8d2380d5e2
- SHA1
  
  665bb4edc2a067145f1ea0883532f9eac321628a
- SHA256
  
  684f7a95584e49ee72624e94d79137b53e329d8ccc8909357d83b1a45fd0beab
- SHA512
  
  6965653765077d407028afb22c73b9011de9966f1b42bd04081c285e4254f7bf0a6ddad0cfa9c080e7eb0a91b7a0494859c56db0b6b44faa7924bd5832d03f36
Score

1^/10
behavioral11 behavioral12
- Target
  
  6a784913e59abb1b02af92535709bc244fac4c3f2252200403c89dfc350197a2
- Size
  
  768KB
- MD5
  
  5e39e14ec7e7f97d50ffe49757f4e6fa
- SHA1
  
  d462b3896493ac7ce2af9a142554397457648e88
- SHA256
  
  6a784913e59abb1b02af92535709bc244fac4c3f2252200403c89dfc350197a2
- SHA512
  
  83efc946f8a67fe39bc2825b29ddd163ccd98b91b5fa41ba21ea8bec7d76f0f8e55e966c6696d3e4fe95de5b6fe16a0a41d1ae6ee0cba05b5bfa9957d1eba5e3
Score

10^/10

evasion trojan upx
- Modifies firewall policy service
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral13 behavioral14
- Target
  
  97a7a92b88033bbd98d67b8438362854391035ae7c464f8d50a2e1fe7304f7f7
- Size
  
  98KB
- MD5
  
  617afa0db788aeaf1db6d26d1252aee3
- SHA1
  
  54e551acfd98b88aea7f10e6e69aa0f567a2050f
- SHA256
  
  97a7a92b88033bbd98d67b8438362854391035ae7c464f8d50a2e1fe7304f7f7
- SHA512
  
  cae3d16591af6034381e368dbb59e61110589add19e56bd0c5062cfe0597b618dd9141ad131c54b0b16f2a8b7d7878041486ac087b39c5032e845b9bc6722eaf
Score

10^/10

evasion
- Modifies firewall policy service
  evasion
behavioral15 behavioral16
- Target
  
  aeddc10ec9201b276bda81b6e047dbddc8bb4933c2ed796b6f377c8e2c52d012
- Size
  
  2.0MB
- MD5
  
  529a292d8177e7f97b00489724652425
- SHA1
  
  0548c6fe35cbf2543991cd3f344b029b85359c1e
- SHA256
  
  aeddc10ec9201b276bda81b6e047dbddc8bb4933c2ed796b6f377c8e2c52d012
- SHA512
  
  9bac373949bc977da3e36174a3066a082dbd2012f915a7914982b4f08075ef0c7ec9e2f62df4ebe9b67a951a72a40419832c543233d9dd7e4ae0ac5c777d7152
Score

10^/10

evasion trojan upx
- Modifies firewall policy service
  evasion
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
behavioral17 behavioral18
- Target
  
  d1c5f5fb1ad2b7467b4714546bfbf7cbc5365ae682cfb9bfeb2821432f91bef8
- Size
  
  2.2MB
- MD5
  
  fb7c4641e3cd75147d4a118cfbb261a0
- SHA1
  
  ecca50082ebe37a1398006fea5e9796b94d859d1
- SHA256
  
  d1c5f5fb1ad2b7467b4714546bfbf7cbc5365ae682cfb9bfeb2821432f91bef8
- SHA512
  
  23bab164117728dd8624daff929dbec616a1cd8b249391c925605f177dea72b707dab686edb9c03521a23de7fc497d0bca795632ffe9573168ac3ee1c4038322
Score

10^/10

evasion
- Modifies firewall policy service
  evasion
- Suspicious use of NtCreateProcessExOtherParentProcess
behavioral19 behavioral20

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

Privilege Escalation

Bypass User Account Control

Defense Evasion

Modify Registry

Bypass User Account Control

Disabling Security Tools

Credential Access

Discovery

System Information Discovery

Query Registry

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

evasiontrojanupx

behavioral4

evasiontrojanupx

behavioral5

behavioral6

behavioral7

wannacryransomwareworm

behavioral8

wannacryevasionransomwareworm

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

evasiontrojanupx

behavioral14

evasiontrojanupx

behavioral15

behavioral16

behavioral17

evasiontrojanupx

behavioral18

evasiontrojanupx

behavioral19

behavioral20