wannacry | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Analysis

max time kernel
1s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
21-11-2022 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1360 icacls.exe

pid	process
1360	icacls.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	pid	process	target process
PID 1284 wrote to memory of 1144	1284	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1284 wrote to memory of 1144	1284	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1284 wrote to memory of 1144	1284	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1284 wrote to memory of 1144	1284	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1284 wrote to memory of 1360	1284	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1284 wrote to memory of 1360	1284	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1284 wrote to memory of 1360	1284	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1284 wrote to memory of 1360	1284	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1144 attrib.exe

pid	process
1144	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1144

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Filesize
19KB

MD5
aaa27de1bbbc2165cb2d2ea22f1c1fdd

SHA1
5fda3862074ddc9033255891df311eabe9a01d62

SHA256
72593b0a8fb9f1166226f9cdcfce3eae4a8d8ceba16ea39b4254a702d348165d

SHA512
2b05f661459ac33eafc676f5e04121bd0b1d2e0daa7ed9b0362fee62085696442ac76a2a8b617288c075df0f4d83c17553e78b926d42ba734b01a60259fa7910

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Filesize
18KB

MD5
9fe369967bb336561e6d308d7ddde743

SHA1
fb819536be602482b291377b6b6b627306dd9292

SHA256
7d5a9369723add6c9ca3b5732be348ab25078e7c24dd4e8865737ba3e2a2c68a

SHA512
2d381c2397225feb624dd5b5eb592a456a7c1f4870f9c2f49187410ac4d1f4c82e3569f94209718770a0156266393f0d4af95cfcf43f0565d3ae171d2c5026ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Filesize
8KB

MD5
fa5c5dfeb4d21a44634ca14b90ba1f23

SHA1
386bdc32864b8cedadfa7c7fa7c42277870c5238

SHA256
899c599cf81e34a84c951313a226e240ca51c4a5e19e3cca4ee87cfdfafbb5df

SHA512
c225d9c9cbb0e9c28cc554defc2feb7c41750161f0d695c50c35aa31e63fc842caf5716ab1a0b05bfad3569d380a06f24197ba0eaac9b8a4f14d66c477971836

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Filesize
8KB

MD5
d4c39ef325e1265d4e2b95e0071244f1

SHA1
38ae7abd18ab9d2f0b5a0014fa9bd74cf783f3c1

SHA256
521bc4bddb6dbd6e3cf0db83a604a651831d1315b48638368d7ce0b020c9c807

SHA512
c598ffaae48f8366d7493d9a11e23e80fe66bdd181585b9a5379eee43730100636f3b81122e4996acb0c70bb75a4c6f089d6561173b49a8a40f89cb42d9c761c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Filesize
8KB

MD5
fa5c5dfeb4d21a44634ca14b90ba1f23

SHA1
386bdc32864b8cedadfa7c7fa7c42277870c5238

SHA256
899c599cf81e34a84c951313a226e240ca51c4a5e19e3cca4ee87cfdfafbb5df

SHA512
c225d9c9cbb0e9c28cc554defc2feb7c41750161f0d695c50c35aa31e63fc842caf5716ab1a0b05bfad3569d380a06f24197ba0eaac9b8a4f14d66c477971836

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
8KB

MD5
10f0fe2cc54a0fbbc7aa25139f637a83

SHA1
bc43c59281b6432fca56c9d14ec1b99cf2da4623

SHA256
2b85a3bc6255b7ea3e9ebcf4f20e82194e123a8b6d5eb017e0a6886a8fb26b63

SHA512
2be9c189edb01385eb8f0c0b0125dc21f43292a96d202ec47e8a75994634db9d3da477d2060d8c17569126a4fbc93e7d660d80ca7b0be47b54e91068d661ea4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Filesize
8KB

MD5
10f0fe2cc54a0fbbc7aa25139f637a83

SHA1
bc43c59281b6432fca56c9d14ec1b99cf2da4623

SHA256
2b85a3bc6255b7ea3e9ebcf4f20e82194e123a8b6d5eb017e0a6886a8fb26b63

SHA512
2be9c189edb01385eb8f0c0b0125dc21f43292a96d202ec47e8a75994634db9d3da477d2060d8c17569126a4fbc93e7d660d80ca7b0be47b54e91068d661ea4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Filesize
2KB

MD5
d3788532f641feae90d8c560d054a954

SHA1
3dc2bf37bfbc7f9c55c302a2240a5df102dac376

SHA256
ca18a87ff459f343f69a78b4112a76a3d7f6dfa968a4940d350b8cb5d8d3dbd8

SHA512
3f961b233fa8ae05b4413781ca39d6c12e67752207edf3f046a02c80fb09594c2aebf881714f2ead941b3c94dced6e1beaccefbb9709ebc502c1ad896bdbe352

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Filesize
2KB

MD5
f9132a78fea381f54fdae28a9fc5e18e

SHA1
9f286101d79e27d776570f3a07a348ffbba94ed5

SHA256
74c0f1547a0499a72493556666f42ee92686f693d452d97a8b891c59063f7030

SHA512
f2b658200d712e5a0947532ee6abd1e999971494a32d69b67d27ebdb7aecb405d5bd2c4a9fea5f8b74993a3fa313618db0b4b8f61b88b40f69bb07008f79271e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Filesize
2KB

MD5
d4d36c2f862ab800003d9c33f6a5ace7

SHA1
6aa4dd304da4664801836cd17eb9bf35d60fa887

SHA256
d22a91e6fa0065ce525fbf22aac08760d51d95473714c45a6fc3e151c8fdf200

SHA512
fb84c9cfb4e0aaec636c9409e28c8e8995ce2583b60cc3520861afeb3e0da241cbd859b4a1a480d682258df0017b76fc8d1356ff30fc845b1ca5b7311deb3f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
memory/1144-54-0x0000000000000000-mapping.dmp

Download
memory/1284-57-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1284-56-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/1360-55-0x0000000000000000-mapping.dmp

Download