wannacry | e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5

General

Target

e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe
Size

70KB
MD5

1ce246828d587930e292cca250cc248d
SHA1

6732ea6943383948633be2c8dec81452624a9cc1
SHA256

e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5
SHA512

111746db30f166b34b9f98bc7fef273948d2cdc23830e23fedbc243b51c9a1e8b077ad042e3c8a16f8a1b7a444a1aad796c9271f5b743f6d4d32871c7e9d89ff

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

952 vssadmin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
952	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeBackupPrivilege	536	vssvc.exe
Token: SeRestorePrivilege	536	vssvc.exe
Token: SeAuditPrivilege	536	vssvc.exe
Token: SeIncreaseQuotaPrivilege	564	WMIC.exe
Token: SeSecurityPrivilege	564	WMIC.exe
Token: SeTakeOwnershipPrivilege	564	WMIC.exe
Token: SeLoadDriverPrivilege	564	WMIC.exe
Token: SeSystemProfilePrivilege	564	WMIC.exe
Token: SeSystemtimePrivilege	564	WMIC.exe
Token: SeProfSingleProcessPrivilege	564	WMIC.exe
Token: SeIncBasePriorityPrivilege	564	WMIC.exe
Token: SeCreatePagefilePrivilege	564	WMIC.exe
Token: SeBackupPrivilege	564	WMIC.exe
Token: SeRestorePrivilege	564	WMIC.exe
Token: SeShutdownPrivilege	564	WMIC.exe
Token: SeDebugPrivilege	564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	564	WMIC.exe
Token: SeRemoteShutdownPrivilege	564	WMIC.exe
Token: SeUndockPrivilege	564	WMIC.exe
Token: SeManageVolumePrivilege	564	WMIC.exe
Token: 33	564	WMIC.exe
Token: 34	564	WMIC.exe
Token: 35	564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	564	WMIC.exe
Token: SeSecurityPrivilege	564	WMIC.exe
Token: SeTakeOwnershipPrivilege	564	WMIC.exe
Token: SeLoadDriverPrivilege	564	WMIC.exe
Token: SeSystemProfilePrivilege	564	WMIC.exe
Token: SeSystemtimePrivilege	564	WMIC.exe
Token: SeProfSingleProcessPrivilege	564	WMIC.exe
Token: SeIncBasePriorityPrivilege	564	WMIC.exe
Token: SeCreatePagefilePrivilege	564	WMIC.exe
Token: SeBackupPrivilege	564	WMIC.exe
Token: SeRestorePrivilege	564	WMIC.exe
Token: SeShutdownPrivilege	564	WMIC.exe
Token: SeDebugPrivilege	564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	564	WMIC.exe
Token: SeRemoteShutdownPrivilege	564	WMIC.exe
Token: SeUndockPrivilege	564	WMIC.exe
Token: SeManageVolumePrivilege	564	WMIC.exe
Token: 33	564	WMIC.exe
Token: 34	564	WMIC.exe
Token: 35	564	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe
Token: SeSecurityPrivilege	1684	WMIC.exe
Token: SeTakeOwnershipPrivilege	1684	WMIC.exe
Token: SeLoadDriverPrivilege	1684	WMIC.exe
Token: SeSystemProfilePrivilege	1684	WMIC.exe
Token: SeSystemtimePrivilege	1684	WMIC.exe
Token: SeProfSingleProcessPrivilege	1684	WMIC.exe
Token: SeIncBasePriorityPrivilege	1684	WMIC.exe
Token: SeCreatePagefilePrivilege	1684	WMIC.exe
Token: SeBackupPrivilege	1684	WMIC.exe
Token: SeRestorePrivilege	1684	WMIC.exe
Token: SeShutdownPrivilege	1684	WMIC.exe
Token: SeDebugPrivilege	1684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1684	WMIC.exe
Token: SeRemoteShutdownPrivilege	1684	WMIC.exe
Token: SeUndockPrivilege	1684	WMIC.exe
Token: SeManageVolumePrivilege	1684	WMIC.exe
Token: 33	1684	WMIC.exe
Token: 34	1684	WMIC.exe
Token: 35	1684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1684	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.execmd.exe

description	pid	process	target process
PID 1648 wrote to memory of 1848	1648	e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe	cmd.exe
PID 1648 wrote to memory of 1848	1648	e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe	cmd.exe
PID 1648 wrote to memory of 1848	1648	e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe	cmd.exe
PID 1648 wrote to memory of 1848	1648	e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe	cmd.exe
PID 1848 wrote to memory of 952	1848	cmd.exe	vssadmin.exe
PID 1848 wrote to memory of 952	1848	cmd.exe	vssadmin.exe
PID 1848 wrote to memory of 952	1848	cmd.exe	vssadmin.exe
PID 1848 wrote to memory of 952	1848	cmd.exe	vssadmin.exe
PID 1848 wrote to memory of 564	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 564	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 564	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 564	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1684	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1684	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1684	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1684	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1956	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1956	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1956	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1956	1848	cmd.exe	WMIC.exe
PID 1848 wrote to memory of 1452	1848	cmd.exe	xcopy.exe
PID 1848 wrote to memory of 1452	1848	cmd.exe	xcopy.exe
PID 1848 wrote to memory of 1452	1848	cmd.exe	xcopy.exe
PID 1848 wrote to memory of 1452	1848	cmd.exe	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe
"C:\Users\Admin\AppData\Local\Temp\e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\982.tmp\Ransomware.bat" C:\Users\Admin\AppData\Local\Temp\e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:952
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /f /d Ransomware.exe C:\Users\User\AppData\Local\VMIC\vmic.exe
    3⤵
    - Enumerates system info in registry
    PID:1452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\982.tmp\Ransomware.bat

MD5
67800cc82f6e532eb3800e0843b60e0a

SHA1
79d28c411ddf13308fb2cd225099b76c72431b63

SHA256
4b29fda450e9e87ee95df3f8d95c23d65f919a63844582d51684877b6f7f0c18

SHA512
88a1b6fdd39514fc464fa276db680df85db52cbc2f4e7739725a01c9d6358e7f5d953cd718f084dd108698878e87be9b78f735262a7a49bdfc6715206e654647

Download Submit
memory/1648-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing