wannacry | e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5

General

Target

e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe
Size

70KB
MD5

1ce246828d587930e292cca250cc248d
SHA1

6732ea6943383948633be2c8dec81452624a9cc1
SHA256

e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5
SHA512

111746db30f166b34b9f98bc7fef273948d2cdc23830e23fedbc243b51c9a1e8b077ad042e3c8a16f8a1b7a444a1aad796c9271f5b743f6d4d32871c7e9d89ff

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2880	WMIC.exe
Token: SeSecurityPrivilege	2880	WMIC.exe
Token: SeTakeOwnershipPrivilege	2880	WMIC.exe
Token: SeLoadDriverPrivilege	2880	WMIC.exe
Token: SeSystemProfilePrivilege	2880	WMIC.exe
Token: SeSystemtimePrivilege	2880	WMIC.exe
Token: SeProfSingleProcessPrivilege	2880	WMIC.exe
Token: SeIncBasePriorityPrivilege	2880	WMIC.exe
Token: SeCreatePagefilePrivilege	2880	WMIC.exe
Token: SeBackupPrivilege	2880	WMIC.exe
Token: SeRestorePrivilege	2880	WMIC.exe
Token: SeShutdownPrivilege	2880	WMIC.exe
Token: SeDebugPrivilege	2880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2880	WMIC.exe
Token: SeRemoteShutdownPrivilege	2880	WMIC.exe
Token: SeUndockPrivilege	2880	WMIC.exe
Token: SeManageVolumePrivilege	2880	WMIC.exe
Token: 33	2880	WMIC.exe
Token: 34	2880	WMIC.exe
Token: 35	2880	WMIC.exe
Token: 36	2880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2880	WMIC.exe
Token: SeSecurityPrivilege	2880	WMIC.exe
Token: SeTakeOwnershipPrivilege	2880	WMIC.exe
Token: SeLoadDriverPrivilege	2880	WMIC.exe
Token: SeSystemProfilePrivilege	2880	WMIC.exe
Token: SeSystemtimePrivilege	2880	WMIC.exe
Token: SeProfSingleProcessPrivilege	2880	WMIC.exe
Token: SeIncBasePriorityPrivilege	2880	WMIC.exe
Token: SeCreatePagefilePrivilege	2880	WMIC.exe
Token: SeBackupPrivilege	2880	WMIC.exe
Token: SeRestorePrivilege	2880	WMIC.exe
Token: SeShutdownPrivilege	2880	WMIC.exe
Token: SeDebugPrivilege	2880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2880	WMIC.exe
Token: SeRemoteShutdownPrivilege	2880	WMIC.exe
Token: SeUndockPrivilege	2880	WMIC.exe
Token: SeManageVolumePrivilege	2880	WMIC.exe
Token: 33	2880	WMIC.exe
Token: 34	2880	WMIC.exe
Token: 35	2880	WMIC.exe
Token: 36	2880	WMIC.exe
Token: SeBackupPrivilege	1760	vssvc.exe
Token: SeRestorePrivilege	1760	vssvc.exe
Token: SeAuditPrivilege	1760	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2188	WMIC.exe
Token: SeSecurityPrivilege	2188	WMIC.exe
Token: SeTakeOwnershipPrivilege	2188	WMIC.exe
Token: SeLoadDriverPrivilege	2188	WMIC.exe
Token: SeSystemProfilePrivilege	2188	WMIC.exe
Token: SeSystemtimePrivilege	2188	WMIC.exe
Token: SeProfSingleProcessPrivilege	2188	WMIC.exe
Token: SeIncBasePriorityPrivilege	2188	WMIC.exe
Token: SeCreatePagefilePrivilege	2188	WMIC.exe
Token: SeBackupPrivilege	2188	WMIC.exe
Token: SeRestorePrivilege	2188	WMIC.exe
Token: SeShutdownPrivilege	2188	WMIC.exe
Token: SeDebugPrivilege	2188	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2188	WMIC.exe
Token: SeRemoteShutdownPrivilege	2188	WMIC.exe
Token: SeUndockPrivilege	2188	WMIC.exe
Token: SeManageVolumePrivilege	2188	WMIC.exe
Token: 33	2188	WMIC.exe
Token: 34	2188	WMIC.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.execmd.exe

description	pid	process	target process
PID 3844 wrote to memory of 816	3844	e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe	cmd.exe
PID 3844 wrote to memory of 816	3844	e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe	cmd.exe
PID 3844 wrote to memory of 816	3844	e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe	cmd.exe
PID 816 wrote to memory of 2880	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2880	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2880	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2188	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2188	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 2188	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3744	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3744	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 3744	816	cmd.exe	WMIC.exe
PID 816 wrote to memory of 1064	816	cmd.exe	xcopy.exe
PID 816 wrote to memory of 1064	816	cmd.exe	xcopy.exe
PID 816 wrote to memory of 1064	816	cmd.exe	xcopy.exe

C:\Users\Admin\AppData\Local\Temp\e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe
"C:\Users\Admin\AppData\Local\Temp\e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\77FC.tmp\Ransomware.bat" C:\Users\Admin\AppData\Local\Temp\e669f2d391bb418784e76076042728a4ab2d57ecbf09fc1adc391785a990a1e5.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy /f /d Ransomware.exe C:\Users\User\AppData\Local\VMIC\vmic.exe
    3⤵
    - Enumerates system info in registry
    PID:1064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

1

T1107

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

1

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\77FC.tmp\Ransomware.bat

MD5
67800cc82f6e532eb3800e0843b60e0a

SHA1
79d28c411ddf13308fb2cd225099b76c72431b63

SHA256
4b29fda450e9e87ee95df3f8d95c23d65f919a63844582d51684877b6f7f0c18

SHA512
88a1b6fdd39514fc464fa276db680df85db52cbc2f4e7739725a01c9d6358e7f5d953cd718f084dd108698878e87be9b78f735262a7a49bdfc6715206e654647

Download Submit

Analysis

Sharing