Analysis

  • max time kernel
    67s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    20-05-2024 13:33

General

  • Target

    Ransomware.WannaCrypt0r.v1.exe

  • Size

    224KB

  • MD5

    5c7fb0927db37372da25f270708103a2

  • SHA1

    120ed9279d85cbfa56e5b7779ffa7162074f7a29

  • SHA256

    be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

  • SHA512

    a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

  • SSDEEP

    3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe
    "C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c 56391716212026.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\cscript.exe
        cscript //nologo c.vbs
        3⤵
        • Loads dropped DLL
        PID:2640
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2540
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1600
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1556
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1648
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:668
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1128
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
        !WannaDecryptor!.exe v
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2372
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2364
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:1504
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1660
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1872

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.WCRY

      Filesize

      4KB

      MD5

      f6b07a01f064d19ba109a7e08d780aaa

      SHA1

      6d23296782619d2eaab9e86ddde4d7075578040d

      SHA256

      051138cb52f0bd9dd7b667bb767c4ec7f6ffd6c8312dd54031e65848aef40379

      SHA512

      d9214190bb3b51828b675d9cc24d5210a872547a11ad0d7113dbbab577e427e0cb34149e9dde8c704bdc562daf8a2c75b5aede42f15670c850960a54d5651c06

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png.WCRY

      Filesize

      1KB

      MD5

      a9a2f724539c55234590c06d96e6744a

      SHA1

      e69bd402a79a6ba907fdc38256f3939c11f82756

      SHA256

      1039382fca1be68bdaba697fbb87980d47ad7691db374214359fcbd5ef09155a

      SHA512

      e03f6ca664290a7ad28036b3530961fd7e4adff84ac17f587ba028be4c730007795d9a1e18e8637b7f8182b9fb50010625047bcec790b2c9c07a4017c69fc587

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.WCRY

      Filesize

      2KB

      MD5

      2d6bd6015391c99b67080a2fadfa6a4e

      SHA1

      e082ae01cf8d38fe5a2d846b8eb9c3bba969475a

      SHA256

      9da4a59bfb8b9cf8437013283dfe9ce97cc9dbefa22dae06fba625da3e1ee1dc

      SHA512

      94331605df78f548539cb3fb387e9bbf25904b5ac9be3e78982e7d7ed09f3c121cdd7dffe760fd458a0eb6a72d0ea3b88a23de3402e228dfa9662b7db2b55d5a

    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

      Filesize

      236KB

      MD5

      cf1416074cd7791ab80a18f9e7e219d9

      SHA1

      276d2ec82c518d887a8a3608e51c56fa28716ded

      SHA256

      78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

      SHA512

      0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

      Filesize

      921B

      MD5

      772188adc9a39992fd0608038f941967

      SHA1

      5f2037942bcbb38a0580a992921255c3a5c3f7f6

      SHA256

      f078a0f7d43bb6f7f67308f4f45e66f230699b8a05f1b65321eb586fa2120a5e

      SHA512

      d6a9c384297d62007225edf01323d3a79c5b9fbe662869da74ad1eaea506c08b15c1ed7796a98cb94c1b16863e76bb8a4d9382122b2d0d8d4f7b24469e05e076

    • C:\Users\Admin\AppData\Local\Temp\00000000.eky

      Filesize

      1KB

      MD5

      9dd48bca199c4d19cca04879a3ea378e

      SHA1

      b1586748a7de8d75cebd164222e3ad4745aa06b9

      SHA256

      8e5ba7542e5866cfcc21420bd6cfe942bad09855a70f50318588dccff82f9046

      SHA512

      bbd6eee007814aa8cf03282cfd82be16cec796458b85941b2b71aff705d62f4a6577f4b029ec48d52f5d0169d062cb60249692f7f87924dcf3e67d2ef796ad3d

    • C:\Users\Admin\AppData\Local\Temp\00000000.res

      Filesize

      136B

      MD5

      ecf7cf8daddf2d7fd9ff730bc31c0490

      SHA1

      367e4d2fc64a1da5775dab2380cbe5a73129f210

      SHA256

      54768fe562e12ff975bebd21a1205f7e33a2ab6526da75b46cdb0fde4377b909

      SHA512

      3f2e8b16ab18143a091ac7ec9fce772566c982a5b47b05d0d70e87463ea241ef7109bf7f664642501b718aa23adb7c2b2a711777bcfadf8a8ba56aabe7ae209b

    • C:\Users\Admin\AppData\Local\Temp\00000000.res

      Filesize

      136B

      MD5

      0d9f8f2dd58ef5897b144bcb804e7a46

      SHA1

      3ac12239d04f161520029c336e4c3ebbe1e9efe5

      SHA256

      ce56961ff4f5500304c950f24ca3b93c95cbab4ab7e923ef7ee7e81c16137d14

      SHA512

      133b77cd4efda96069073dbcc714741454c5a0ec4c1a40005dbe5bcbdc4ade357e0ece85f01febedbf9fba047fa091cf76c643d026491344c4f8b4eb993a4649

    • C:\Users\Admin\AppData\Local\Temp\00000000.res

      Filesize

      136B

      MD5

      b59b8fd30ca42d88353eb9b51cf9a4aa

      SHA1

      6131ba68c0dcb04abd3d410ff5d06210dfe7110c

      SHA256

      885b083194f40e5c6872a3aaad48fe9c0514f69f21ef3127b4cad60b4808787b

      SHA512

      170eadfb02d34c2f71167e550f36fdf93ca043004574b30ccc72241faf559bd8a40187be80bbd733b98888679d3ae583b4f629099e52b1e5d02cb9c423b25de4

    • C:\Users\Admin\AppData\Local\Temp\00000000.res

      Filesize

      136B

      MD5

      998fc22ad4794e9ab324660fecf5cc94

      SHA1

      2e325a13ae7701fb97e9263b18fa533a5b51e5dc

      SHA256

      39ee95bfd4f3abf6022013c12d4a89ad259c7045df4f8927821909fdab69c70e

      SHA512

      9a3e7f5a18b445622302ee301cbf426a7a2d6f023e67b97594c4767ecc5a1ff513aeff6b433b7b9509e7993415c7aca43801276de5feb66119287d5a9b233320

    • C:\Users\Admin\AppData\Local\Temp\56391716212026.bat

      Filesize

      336B

      MD5

      3540e056349c6972905dc9706cd49418

      SHA1

      492c20442d34d45a6d6790c720349b11ec591cde

      SHA256

      73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

      SHA512

      c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

    • C:\Users\Admin\AppData\Local\Temp\c.vbs

      Filesize

      219B

      MD5

      5f6d40ca3c34b470113ed04d06a88ff4

      SHA1

      50629e7211ae43e32060686d6be17ebd492fd7aa

      SHA256

      0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

      SHA512

      4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

    • C:\Users\Admin\AppData\Local\Temp\c.wry

      Filesize

      628B

      MD5

      507a3f4919f981906d984a8d4604deab

      SHA1

      d9a6c215c7f9f260cb12cc6187ca6a1baca80678

      SHA256

      098dd0e68b29dc4be490a7413991a4d19e7a0052db30010076c6c584d31ab830

      SHA512

      23664f5247381f206dd92be1539720d1c605145bd8ad1d3541e123999b6b85284c2f9fea9376149126ec9ff38d1fb8355f1f8fcc8343946e93f59cbd4b9f797a

    • C:\Users\Admin\AppData\Local\Temp\f.wry

      Filesize

      449B

      MD5

      85e235cd4757d8af91cbe3145b630ed0

      SHA1

      6a86dda6e266ee51b0a353fe3383f720ec471335

      SHA256

      b78d336226cf138995537a63f7fd67f983d96b469b07c00ac60b71c64c0ab1c9

      SHA512

      be24d8b819d9f2dacd00706c955359d3a88b6f97390b904372021110ba533c1a0837b2138fd619b14261f0a2969e8b594b9397e50ee544c161f0e5658fbf222d

    • C:\Users\Admin\AppData\Local\Temp\m.wry

      Filesize

      42KB

      MD5

      980b08bac152aff3f9b0136b616affa5

      SHA1

      2a9c9601ea038f790cc29379c79407356a3d25a3

      SHA256

      402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

      SHA512

      100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

    • C:\Users\Admin\Documents\!Please Read Me!.txt

      Filesize

      797B

      MD5

      afa18cf4aa2660392111763fb93a8c3d

      SHA1

      c219a3654a5f41ce535a09f2a188a464c3f5baf5

      SHA256

      227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

      SHA512

      4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

    • memory/2408-6-0x0000000010000000-0x0000000010012000-memory.dmp

      Filesize

      72KB