Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 03:04

General

  • Target

    be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe

  • Size

    224KB

  • MD5

    5c7fb0927db37372da25f270708103a2

  • SHA1

    120ed9279d85cbfa56e5b7779ffa7162074f7a29

  • SHA256

    be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

  • SHA512

    a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

  • SSDEEP

    3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
    "C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c 271511715396691.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1580
      • C:\Windows\SysWOW64\cscript.exe
        cscript //nologo c.vbs
        3⤵
        • Loads dropped DLL
        PID:2712
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2472
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2544
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:348
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:320
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
        !WannaDecryptor!.exe v
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1412
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2056
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1496
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:2784
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    Filesize

    236KB

    MD5

    cf1416074cd7791ab80a18f9e7e219d9

    SHA1

    276d2ec82c518d887a8a3608e51c56fa28716ded

    SHA256

    78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

    SHA512

    0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

  • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
    Filesize

    921B

    MD5

    9f743a16deddf01436fb9711f7c1fe3e

    SHA1

    309cfbe5b423d1fe09eecac9926ce8bed07f05ca

    SHA256

    405cf385425ea8b0398b199ab404cade62d913d86481a458fbe6cbc6cbb8d68f

    SHA512

    4de0c64bd06ae959070da823809602e2ef3c1ced9de724d9df77f11c473aac8f5aa446005407a8b54672411ba2c61631aa8d51dfd4c8df815c88091620fb2a50

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    b6d2e8cd0f95aecb72f6dffed4645258

    SHA1

    369b8264d4f2c9ef489335bc99db2dc0ca7b888b

    SHA256

    feedc231e042f48026560a7b5da4a231a0079500d811ed5b89a71c00d9f9c8a4

    SHA512

    e24c360696683d00d88ef7ae92c549ad57a144a99bf143d64a3fce614d7f7fedf7ff7dab3406cb6dd4dd1f60087c27fc821130561a0b2990437932c5f57fcbc4

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    22b2e3c9a7b25686604231702b2b6a2f

    SHA1

    c3d7b84bfe15167d7f69511b7f3c52d558cf41c9

    SHA256

    918c33bd20a66873d7d31eed97501a90f4a0d32032d7493e2980ddb061e19655

    SHA512

    8febeef1725e541286123346e33deca076e32ffcc39e501e428258294e50c23ffad1915f1c2bf56f0d89d26baff5c7ba17a865e0d63546de3c127290929ecdb0

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    455243e867b8a270f902b624ec8db44b

    SHA1

    3744b55425cc0b089a8817521fb81e6ea7f524d9

    SHA256

    73e19206beb3cefda41d205c65dcd9113527a005566751e67ad6dd282b61236d

    SHA512

    7fe3bdb62802ce08ae72c988d7b08be5bb585c9e15113106e1eda5fad4b4c191020732a2ca7c27d4a2990bd0c8aafd17515398110925e8dfa97411e82a3e3f27

  • C:\Users\Admin\AppData\Local\Temp\271511715396691.bat
    Filesize

    336B

    MD5

    3540e056349c6972905dc9706cd49418

    SHA1

    492c20442d34d45a6d6790c720349b11ec591cde

    SHA256

    73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

    SHA512

    c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

  • C:\Users\Admin\AppData\Local\Temp\c.vbs
    Filesize

    219B

    MD5

    5f6d40ca3c34b470113ed04d06a88ff4

    SHA1

    50629e7211ae43e32060686d6be17ebd492fd7aa

    SHA256

    0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

    SHA512

    4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

  • C:\Users\Admin\AppData\Local\Temp\c.wry
    Filesize

    628B

    MD5

    e87cc6ef236387a521431c602255725e

    SHA1

    ddac91a80e27212471e9d7b3c4643f5566f0daa1

    SHA256

    c429756fc12fb06d4ffb5fa1ec2312de37f5a23ae1a5e9d58afa59dd03c2a83b

    SHA512

    525d0db61712537de1b0d2386e0d79cd2ad6efb1fcefdc721115ac8733d0d5747e8b79309cdb46c206ad2af2e463ab7ca0d68e0ef62d75d04fc05465e678e6ce

  • C:\Users\Admin\AppData\Local\Temp\m.wry
    Filesize

    42KB

    MD5

    980b08bac152aff3f9b0136b616affa5

    SHA1

    2a9c9601ea038f790cc29379c79407356a3d25a3

    SHA256

    402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

    SHA512

    100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

  • C:\Users\Admin\Documents\!Please Read Me!.txt
    Filesize

    797B

    MD5

    afa18cf4aa2660392111763fb93a8c3d

    SHA1

    c219a3654a5f41ce535a09f2a188a464c3f5baf5

    SHA256

    227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

    SHA512

    4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

  • memory/2372-6-0x0000000010000000-0x0000000010012000-memory.dmp
    Filesize

    72KB