79fe78a198078c1810a45cd7ff8f97292b3a15c4ec65601f979be576a424e9ac

General

Target

2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
Size

2.4MB
MD5

63263c7764df5469c6683700699f9d1a
SHA1

a11de9cb5acd9b04fbbd3d4568a53713c7c3bd40
SHA256

79fe78a198078c1810a45cd7ff8f97292b3a15c4ec65601f979be576a424e9ac
SHA512

207c04f5d08230200ab0908b4f719ecb2d0085ffd26dfe6461c9fdb12e6cbe9736326338851291de65137019ab52ace2230d0fac1592cf3965f8ccbaf2a30a73
SSDEEP

1536:jpHBovOj4CPN0iyR5KXzik7t3ZVw3GaalZJlrw+TBSD5vl/xvzWWvoqd:ZBoQ2RGaallrnUBlJ6o

Score

9^/10

defense_evasion evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detects command variations typically used by ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1240-1373-0x0000000000BF0000-0x0000000000E57000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Renames multiple (807) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

Processes:

2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\gmreadme.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2652 netsh.exe
Executes dropped EXE 1 IoCs

Processes:

GlitchByte_Decryptor.exe

pid process

2696 GlitchByte_Decryptor.exe
Loads dropped DLL 2 IoCs

Processes:

2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

pid process

1240 2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
1240 2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2652	netsh.exe

pid	process
2696	GlitchByte_Decryptor.exe

pid	process
1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

Drops file in System32 directory 64 IoCs

Processes:

2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

description	ioc	process
File opened for modification	C:\Windows\System32\catroot2\edb006D2.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\ProfessionalN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\StarterN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\StarterE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Ultimate\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomePremiumN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\ProfessionalE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\pubprn.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnqctl.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\System32\catroot2\edb006CA.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\StarterN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomePremiumE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\System32\catroot2\edb006BE.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Starter\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\wbem\fr-FR\csv.xsl	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\Starter\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\HomeBasic\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\_Default\HomePremiumE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\Starter\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\wbem\es-ES\htable.xsl	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\ProfessionalN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\eval\Enterprise\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\UltimateE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\StarterE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\wbem\ja-JP\mof.xsl	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\StarterN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomePremiumE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\ProfessionalN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\HomePremium\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnqctl.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\HomeBasicE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\lipeula.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnmngr.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\WCN\it-IT\Add_a_device_or_computer_to_a_network_usb.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\System32\catroot2\edb006D5.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\StarterN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\UltimateN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\Ultimate\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\StarterN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\ProfessionalN\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\en-US\lpeula.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\EnterpriseE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\wbem\fr-FR\hform.xsl	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Starter\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasic\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomeBasicE\license.rtf	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\GlitchByte.bmp"	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\GIGGLE.WAV	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\OpenResume.mp4v	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\SoftBlue.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-over-select.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\videowall.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\THMBNAIL.PNG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files (x86)\Common Files\Services\verisign.bmp	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Bears.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_Buttongraphic.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\THMBNAIL.PNG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\chapters-static.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

Drops file in Windows directory 64 IoCs

Processes:

2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

description	ioc	process
File created	C:\Windows\Media\Windows Hardware Fail.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Web\Wallpaper\Architecture\img17.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Heritage\Windows Default.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Quirky\Windows User Account Control.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Garden\Windows Logon Sound.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Web\Wallpaper\Architecture\img16.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\ehome\de-DE\playReady_eula_oem.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Cityscape\Windows Battery Critical.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Heritage\Windows User Account Control.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Landscape\Windows Print complete.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Quirky\Windows Error.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\debug\WIA\wiatrace.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\TSSysprep.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Landscape\Windows Battery Critical.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Cityscape\Windows Ding.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Quirky\Windows Hardware Insert.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Savanna\Windows Exclamation.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\AU-wp2.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp3.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Quirky\Windows Balloon.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Calligraphy\Windows Notify.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\Panther\setupact.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Heritage\Windows Critical Stop.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Heritage\Windows Pop-up Blocked.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Raga\Windows Logon Sound.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Savanna\Windows Pop-up Blocked.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\ehome\de-DE\epgtos.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Speech Misrecognition.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Characters\Windows Print complete.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Garden\Windows Print complete.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Delta\Windows Battery Critical.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Quirky\Windows Print complete.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\Panther\cbs.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Web\Wallpaper\Nature\img5.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Afternoon\Windows Notify.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Calligraphy\Windows Feed Discovered.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Garden\Windows Exclamation.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Sonata\Windows Critical Stop.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Sonata\Windows Error.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Windows Exclamation.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Characters\Windows Notify.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Sonata\Windows Battery Low.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Sonata\Windows Exclamation.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Web\Wallpaper\Nature\img4.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Garden\Windows Error.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Raga\Windows Exclamation.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Windows Print complete.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Quirky\Windows Navigation Start.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Raga\Windows Information Bar.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Savanna\Windows Hardware Fail.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\ehome\fr-FR\playready_eula.txt	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Globalization\MCT\MCT-US\Wallpaper\US-wp5.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\chimes.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Sonata\Windows Hardware Remove.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\img12.jpg	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Garden\Windows Pop-up Blocked.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Raga\Windows Default.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Delta\Windows Default.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Delta\Windows Notify.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Savanna\Windows Default.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
File created	C:\Windows\Media\Sonata\Windows Battery Critical.wav	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2640 vssadmin.exe

pid	process
2640	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2732	wmic.exe
Token: SeSecurityPrivilege	2732	wmic.exe
Token: SeTakeOwnershipPrivilege	2732	wmic.exe
Token: SeLoadDriverPrivilege	2732	wmic.exe
Token: SeSystemProfilePrivilege	2732	wmic.exe
Token: SeSystemtimePrivilege	2732	wmic.exe
Token: SeProfSingleProcessPrivilege	2732	wmic.exe
Token: SeIncBasePriorityPrivilege	2732	wmic.exe
Token: SeCreatePagefilePrivilege	2732	wmic.exe
Token: SeBackupPrivilege	2732	wmic.exe
Token: SeRestorePrivilege	2732	wmic.exe
Token: SeShutdownPrivilege	2732	wmic.exe
Token: SeDebugPrivilege	2732	wmic.exe
Token: SeSystemEnvironmentPrivilege	2732	wmic.exe
Token: SeRemoteShutdownPrivilege	2732	wmic.exe
Token: SeUndockPrivilege	2732	wmic.exe
Token: SeManageVolumePrivilege	2732	wmic.exe
Token: 33	2732	wmic.exe
Token: 34	2732	wmic.exe
Token: 35	2732	wmic.exe
Token: SeIncreaseQuotaPrivilege	2732	wmic.exe
Token: SeSecurityPrivilege	2732	wmic.exe
Token: SeTakeOwnershipPrivilege	2732	wmic.exe
Token: SeLoadDriverPrivilege	2732	wmic.exe
Token: SeSystemProfilePrivilege	2732	wmic.exe
Token: SeSystemtimePrivilege	2732	wmic.exe
Token: SeProfSingleProcessPrivilege	2732	wmic.exe
Token: SeIncBasePriorityPrivilege	2732	wmic.exe
Token: SeCreatePagefilePrivilege	2732	wmic.exe
Token: SeBackupPrivilege	2732	wmic.exe
Token: SeRestorePrivilege	2732	wmic.exe
Token: SeShutdownPrivilege	2732	wmic.exe
Token: SeDebugPrivilege	2732	wmic.exe
Token: SeSystemEnvironmentPrivilege	2732	wmic.exe
Token: SeRemoteShutdownPrivilege	2732	wmic.exe
Token: SeUndockPrivilege	2732	wmic.exe
Token: SeManageVolumePrivilege	2732	wmic.exe
Token: 33	2732	wmic.exe
Token: 34	2732	wmic.exe
Token: 35	2732	wmic.exe
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

description	pid	process	target process
PID 1240 wrote to memory of 2652	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	netsh.exe
PID 1240 wrote to memory of 2652	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	netsh.exe
PID 1240 wrote to memory of 2652	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	netsh.exe
PID 1240 wrote to memory of 2652	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	netsh.exe
PID 1240 wrote to memory of 2640	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	vssadmin.exe
PID 1240 wrote to memory of 2640	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	vssadmin.exe
PID 1240 wrote to memory of 2640	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	vssadmin.exe
PID 1240 wrote to memory of 2640	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	vssadmin.exe
PID 1240 wrote to memory of 2732	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	wmic.exe
PID 1240 wrote to memory of 2732	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	wmic.exe
PID 1240 wrote to memory of 2732	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	wmic.exe
PID 1240 wrote to memory of 2732	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	wmic.exe
PID 1240 wrote to memory of 2444	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	rundll32.exe
PID 1240 wrote to memory of 2444	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	rundll32.exe
PID 1240 wrote to memory of 2444	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	rundll32.exe
PID 1240 wrote to memory of 2444	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	rundll32.exe
PID 1240 wrote to memory of 2444	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	rundll32.exe
PID 1240 wrote to memory of 2444	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	rundll32.exe
PID 1240 wrote to memory of 2444	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	rundll32.exe
PID 1240 wrote to memory of 2696	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	GlitchByte_Decryptor.exe
PID 1240 wrote to memory of 2696	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	GlitchByte_Decryptor.exe
PID 1240 wrote to memory of 2696	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	GlitchByte_Decryptor.exe
PID 1240 wrote to memory of 2696	1240	2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe	GlitchByte_Decryptor.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode mode=disable profile=all
2⤵
- Modifies Windows Firewall
PID:2652

C:\Windows\SysWOW64\vssadmin.exe
vssadmin Delete Shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:2640

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic shadowcopy delete
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe user32.dll,UpdatePerUserSystemParameters
2⤵
PID:2444

C:\Users\Admin\Desktop\GlitchByte_Decryptor.exe
C:\Users\Admin\Desktop\GlitchByte_Decryptor.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000005.log
Filesize
8B

MD5
7f49f19ddb99db64a6aa9486ef6658e5

SHA1
f233f9413b9cc1c27e61308b6b5d5e56c7341d45

SHA256
a5ddc96ed1f312cb639277840a89c8859f88ffd36a5962b87429fd0e94feb41f

SHA512
4634feaaa7de377b4bb8bc5ff5649f4ef0b8f37f2338d2d032ae2956c6f35aba1ecd9672c3e46bfb30d64e8584f78032e8ab738ddbf01e44e8b8532e74192159

Download Submit
\Users\Admin\Desktop\GlitchByte_Decryptor.exe
Filesize
59KB

MD5
bfb533cf1b36ee071912539947b6e293

SHA1
829ab8fea8390419739749a5f10a6514b38f81cf

SHA256
0d8217a51648efeb075d73389c826430209eca07422fb8d035de9c00bd5ab96c

SHA512
d1f68827ff6d937a9a46b390f6ddbf58b7cc644fce648b16342eafc0f85788261a4b126f5582528b34af32fd20b964738dd052bfe255cac1438780500354fb83

Download Submit
memory/1240-1373-0x0000000000BF0000-0x0000000000E57000-memory.dmp

Filesize
2.4MB

Download
memory/2696-1618-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads