wannacry | 6e51fa23db7d2f83f3d380d6d465e32621793d8c50e6bde255d996c25288c044

Resubmissions

09-10-2022 16:44

221009-t8424ahder 10

01-10-2022 12:08

221001-pawkvagab7 10

Analysis

max time kernel
73s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-10-2022 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe
Size

244KB
MD5

bd96a097cc41b1e0b452c537d445962f
SHA1

56046e20c82984abfd0febf669d7493f6d155cde
SHA256

ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f
SHA512

649b6898dedf3bea2488f584dc2a3947873c9fa1d3f872c67bb262be976643ac8204aec014f81ad5b03031f049c7227f193ee8fa58b32a84ecaad035ac9d6fdb
SSDEEP

3072:xmrhd5U1eigWcR+uiUg6p4FLlG4tlLpz+mmCkHFZjoHEo3m:xEd5+IZiZhLlG4NimmCK

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1876 784 WerFault.exe ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

pid	pid_target	process	target process
1876	784	WerFault.exe	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1468	AUDIODG.EXE
Token: 33	1468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1468	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

pid process

784 ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

pid	process
784	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe
784	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe

description	pid	process	target process
PID 784 wrote to memory of 1876	784	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe	WerFault.exe
PID 784 wrote to memory of 1876	784	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe	WerFault.exe
PID 784 wrote to memory of 1876	784	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe	WerFault.exe
PID 784 wrote to memory of 1876	784	ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe
"C:\Users\Admin\AppData\Local\Temp\ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe"
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 312
2⤵
- Program crash
PID:1876

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x488
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/1428-55-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1876-56-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads