Analysis Overview
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Threat Level: Known bad
The file Ransomware.WannaCrypt0r.v1.exe was found to be: Known bad.
Malicious Activity Summary
Wannacry
Deletes shadow copies
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Sets desktop wallpaper using registry
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Interacts with shadow copies
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 13:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 13:33
Reported
2024-05-20 13:34
Platform
win7-20240508-en
Max time kernel
67s
Max time network
23s
Command Line
Signatures
Wannacry
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD29EF.tmp | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cscript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware.WannaCrypt0r.v1.exe\" /r" | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Enumerates physical storage devices
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\vssadmin.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c 56391716212026.bat
C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp |
Files
memory/2408-6-0x0000000010000000-0x0000000010012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\56391716212026.bat
| MD5 | 3540e056349c6972905dc9706cd49418 |
| SHA1 | 492c20442d34d45a6d6790c720349b11ec591cde |
| SHA256 | 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc |
| SHA512 | c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c |
C:\Users\Admin\AppData\Local\Temp\c.vbs
| MD5 | 5f6d40ca3c34b470113ed04d06a88ff4 |
| SHA1 | 50629e7211ae43e32060686d6be17ebd492fd7aa |
| SHA256 | 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1 |
| SHA512 | 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35 |
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
| MD5 | cf1416074cd7791ab80a18f9e7e219d9 |
| SHA1 | 276d2ec82c518d887a8a3608e51c56fa28716ded |
| SHA256 | 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df |
| SHA512 | 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5 |
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
| MD5 | 772188adc9a39992fd0608038f941967 |
| SHA1 | 5f2037942bcbb38a0580a992921255c3a5c3f7f6 |
| SHA256 | f078a0f7d43bb6f7f67308f4f45e66f230699b8a05f1b65321eb586fa2120a5e |
| SHA512 | d6a9c384297d62007225edf01323d3a79c5b9fbe662869da74ad1eaea506c08b15c1ed7796a98cb94c1b16863e76bb8a4d9382122b2d0d8d4f7b24469e05e076 |
C:\Users\Admin\AppData\Local\Temp\c.wry
| MD5 | 507a3f4919f981906d984a8d4604deab |
| SHA1 | d9a6c215c7f9f260cb12cc6187ca6a1baca80678 |
| SHA256 | 098dd0e68b29dc4be490a7413991a4d19e7a0052db30010076c6c584d31ab830 |
| SHA512 | 23664f5247381f206dd92be1539720d1c605145bd8ad1d3541e123999b6b85284c2f9fea9376149126ec9ff38d1fb8355f1f8fcc8343946e93f59cbd4b9f797a |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | ecf7cf8daddf2d7fd9ff730bc31c0490 |
| SHA1 | 367e4d2fc64a1da5775dab2380cbe5a73129f210 |
| SHA256 | 54768fe562e12ff975bebd21a1205f7e33a2ab6526da75b46cdb0fde4377b909 |
| SHA512 | 3f2e8b16ab18143a091ac7ec9fce772566c982a5b47b05d0d70e87463ea241ef7109bf7f664642501b718aa23adb7c2b2a711777bcfadf8a8ba56aabe7ae209b |
C:\Users\Admin\Documents\!Please Read Me!.txt
| MD5 | afa18cf4aa2660392111763fb93a8c3d |
| SHA1 | c219a3654a5f41ce535a09f2a188a464c3f5baf5 |
| SHA256 | 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0 |
| SHA512 | 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 0d9f8f2dd58ef5897b144bcb804e7a46 |
| SHA1 | 3ac12239d04f161520029c336e4c3ebbe1e9efe5 |
| SHA256 | ce56961ff4f5500304c950f24ca3b93c95cbab4ab7e923ef7ee7e81c16137d14 |
| SHA512 | 133b77cd4efda96069073dbcc714741454c5a0ec4c1a40005dbe5bcbdc4ade357e0ece85f01febedbf9fba047fa091cf76c643d026491344c4f8b4eb993a4649 |
C:\Users\Admin\AppData\Local\Temp\m.wry
| MD5 | 980b08bac152aff3f9b0136b616affa5 |
| SHA1 | 2a9c9601ea038f790cc29379c79407356a3d25a3 |
| SHA256 | 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9 |
| SHA512 | 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496 |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | b59b8fd30ca42d88353eb9b51cf9a4aa |
| SHA1 | 6131ba68c0dcb04abd3d410ff5d06210dfe7110c |
| SHA256 | 885b083194f40e5c6872a3aaad48fe9c0514f69f21ef3127b4cad60b4808787b |
| SHA512 | 170eadfb02d34c2f71167e550f36fdf93ca043004574b30ccc72241faf559bd8a40187be80bbd733b98888679d3ae583b4f629099e52b1e5d02cb9c423b25de4 |
C:\Users\Admin\AppData\Local\Temp\f.wry
| MD5 | 85e235cd4757d8af91cbe3145b630ed0 |
| SHA1 | 6a86dda6e266ee51b0a353fe3383f720ec471335 |
| SHA256 | b78d336226cf138995537a63f7fd67f983d96b469b07c00ac60b71c64c0ab1c9 |
| SHA512 | be24d8b819d9f2dacd00706c955359d3a88b6f97390b904372021110ba533c1a0837b2138fd619b14261f0a2969e8b594b9397e50ee544c161f0e5658fbf222d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.WCRY
| MD5 | f6b07a01f064d19ba109a7e08d780aaa |
| SHA1 | 6d23296782619d2eaab9e86ddde4d7075578040d |
| SHA256 | 051138cb52f0bd9dd7b667bb767c4ec7f6ffd6c8312dd54031e65848aef40379 |
| SHA512 | d9214190bb3b51828b675d9cc24d5210a872547a11ad0d7113dbbab577e427e0cb34149e9dde8c704bdc562daf8a2c75b5aede42f15670c850960a54d5651c06 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.WCRY
| MD5 | 2d6bd6015391c99b67080a2fadfa6a4e |
| SHA1 | e082ae01cf8d38fe5a2d846b8eb9c3bba969475a |
| SHA256 | 9da4a59bfb8b9cf8437013283dfe9ce97cc9dbefa22dae06fba625da3e1ee1dc |
| SHA512 | 94331605df78f548539cb3fb387e9bbf25904b5ac9be3e78982e7d7ed09f3c121cdd7dffe760fd458a0eb6a72d0ea3b88a23de3402e228dfa9662b7db2b55d5a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png.WCRY
| MD5 | a9a2f724539c55234590c06d96e6744a |
| SHA1 | e69bd402a79a6ba907fdc38256f3939c11f82756 |
| SHA256 | 1039382fca1be68bdaba697fbb87980d47ad7691db374214359fcbd5ef09155a |
| SHA512 | e03f6ca664290a7ad28036b3530961fd7e4adff84ac17f587ba028be4c730007795d9a1e18e8637b7f8182b9fb50010625047bcec790b2c9c07a4017c69fc587 |
C:\Users\Admin\AppData\Local\Temp\00000000.eky
| MD5 | 9dd48bca199c4d19cca04879a3ea378e |
| SHA1 | b1586748a7de8d75cebd164222e3ad4745aa06b9 |
| SHA256 | 8e5ba7542e5866cfcc21420bd6cfe942bad09855a70f50318588dccff82f9046 |
| SHA512 | bbd6eee007814aa8cf03282cfd82be16cec796458b85941b2b71aff705d62f4a6577f4b029ec48d52f5d0169d062cb60249692f7f87924dcf3e67d2ef796ad3d |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 998fc22ad4794e9ab324660fecf5cc94 |
| SHA1 | 2e325a13ae7701fb97e9263b18fa533a5b51e5dc |
| SHA256 | 39ee95bfd4f3abf6022013c12d4a89ad259c7045df4f8927821909fdab69c70e |
| SHA512 | 9a3e7f5a18b445622302ee301cbf426a7a2d6f023e67b97594c4767ecc5a1ff513aeff6b433b7b9509e7993415c7aca43801276de5feb66119287d5a9b233320 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 13:33
Reported
2024-05-20 13:36
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
126s
Command Line
Signatures
Wannacry
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDF4A4.tmp | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF48D.tmp | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Ransomware.WannaCrypt0r.v1.exe\" /r" | C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe
"C:\Users\Admin\AppData\Local\Temp\Ransomware.WannaCrypt0r.v1.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 195101716212027.bat
C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4612,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:9150 | tcp | |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
Files
memory/2740-9-0x0000000010000000-0x0000000010012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u.wry
| MD5 | cf1416074cd7791ab80a18f9e7e219d9 |
| SHA1 | 276d2ec82c518d887a8a3608e51c56fa28716ded |
| SHA256 | 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df |
| SHA512 | 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5 |
C:\Users\Admin\AppData\Local\Temp\195101716212027.bat
| MD5 | 3540e056349c6972905dc9706cd49418 |
| SHA1 | 492c20442d34d45a6d6790c720349b11ec591cde |
| SHA256 | 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc |
| SHA512 | c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c |
C:\Users\Admin\AppData\Local\Temp\c.vbs
| MD5 | 5f6d40ca3c34b470113ed04d06a88ff4 |
| SHA1 | 50629e7211ae43e32060686d6be17ebd492fd7aa |
| SHA256 | 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1 |
| SHA512 | 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35 |
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
| MD5 | 3357134959ef9dfd0f9c9ff2881be928 |
| SHA1 | b68a8f2b41712eed0da67ffaf18c2e2b12c0af14 |
| SHA256 | a74f12ee79c4cc284ecf5003470e1bb22921f1debd972531c23ec1131d3995a0 |
| SHA512 | ec39d95bd9fdac7b4745f2e722c8e49eaddd117e3b1ebf9f4025af6bef85896b39dac8777815c50181d60c5409c9de9b4ab5bc79b3e29fd412c73861d7da3e5f |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 82263c02c6ab2c579660ba4dce9c335a |
| SHA1 | 3eeb25000ad3b948f424e3341ed27bf12ec51607 |
| SHA256 | 7038dec8669ef109ce920d0caa244a20672efea54f70e5d4629c8745da89e9c2 |
| SHA512 | 3b164fe0a410904771b0c068efb60d4fd68ca6bc929a8d80e3b294638841e98b26cdae5f6156c8825314ed9089e2c02cc683120e711f86b118fcc530a3c9606b |
C:\Users\Admin\AppData\Local\Temp\c.wry
| MD5 | 941f8104d1b4fb61b6916c831eb13634 |
| SHA1 | a469fdb610d9407716ca8c57ede410ff6e0f346e |
| SHA256 | 99ff58fe067021cf29ad1ae23ed13d36bd68d0b7c214fa8904e592b0ccccaf31 |
| SHA512 | f61af008d225e96f8007533897b4a4968aa04f2abe28b58db7b4653d5b9d2850eefcac34de31d5d9ddb30a2195a6767b29799b2e01bf4324d6d4d42fad078240 |
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
| MD5 | afa18cf4aa2660392111763fb93a8c3d |
| SHA1 | c219a3654a5f41ce535a09f2a188a464c3f5baf5 |
| SHA256 | 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0 |
| SHA512 | 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 806f22e364cf36a6fd4edd7cfa98a185 |
| SHA1 | 9d6056e12264eea2e0ee84b08a3938e6224210c1 |
| SHA256 | 1f757f557bcf2c772e7288e0212b9baef11deaa4d81003a63a48d6cf167da9a3 |
| SHA512 | 0bb3bedc176b8ed0bdf354a1e23f7ca845d2b1be34c87a725b7aadefaa2b64cdaff6b7a908d9f0c3802a471701684df74953925d9d97a251a1e69689ffd37f3f |
C:\Users\Admin\AppData\Local\Temp\m.wry
| MD5 | 980b08bac152aff3f9b0136b616affa5 |
| SHA1 | 2a9c9601ea038f790cc29379c79407356a3d25a3 |
| SHA256 | 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9 |
| SHA512 | 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496 |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 8c26b5d07448e4e9ab85904e388feffe |
| SHA1 | ca3be861a057fbd764224103766e236c3109354c |
| SHA256 | b57bcd37d09b0ef69797237462aad57230a23c40c8b2ef35b8ad2dfe4e7ad86b |
| SHA512 | 5d6e11af37e6064d05d5c73681c7f66e9248a38287c6611a2729b1da15b81ff00df0070f6a486b712d13667bed84038ddd5658b95f265c3f0891dd695dba0656 |