wannacry | 1d3c2088b2d712f8006279db8acb9a1c6dc3037886a655d37bf75ea5fa6b9518

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Malware-database-main/WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2667.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
2632	!WannaDecryptor!.exe
608	!WannaDecryptor!.exe
792	!WannaDecryptor!.exe
2704	!WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

pid	Process
2992	cscript.exe
1520	WannaCry.exe
1520	WannaCry.exe
1520	WannaCry.exe
1520	WannaCry.exe
1816	cmd.exe
1816	cmd.exe
1520	WannaCry.exe
1520	WannaCry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Malware-database-main\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2064	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
788	taskkill.exe
716	taskkill.exe
604	taskkill.exe
1652	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2704	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeDebugPrivilege	716	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2012	WMIC.exe
Token: SeSecurityPrivilege	2012	WMIC.exe
Token: SeTakeOwnershipPrivilege	2012	WMIC.exe
Token: SeLoadDriverPrivilege	2012	WMIC.exe
Token: SeSystemProfilePrivilege	2012	WMIC.exe
Token: SeSystemtimePrivilege	2012	WMIC.exe
Token: SeProfSingleProcessPrivilege	2012	WMIC.exe
Token: SeIncBasePriorityPrivilege	2012	WMIC.exe
Token: SeCreatePagefilePrivilege	2012	WMIC.exe
Token: SeBackupPrivilege	2012	WMIC.exe
Token: SeRestorePrivilege	2012	WMIC.exe
Token: SeShutdownPrivilege	2012	WMIC.exe
Token: SeDebugPrivilege	2012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2012	WMIC.exe
Token: SeRemoteShutdownPrivilege	2012	WMIC.exe
Token: SeUndockPrivilege	2012	WMIC.exe
Token: SeManageVolumePrivilege	2012	WMIC.exe
Token: 33	2012	WMIC.exe
Token: 34	2012	WMIC.exe
Token: 35	2012	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2012	WMIC.exe
Token: SeSecurityPrivilege	2012	WMIC.exe
Token: SeTakeOwnershipPrivilege	2012	WMIC.exe
Token: SeLoadDriverPrivilege	2012	WMIC.exe
Token: SeSystemProfilePrivilege	2012	WMIC.exe
Token: SeSystemtimePrivilege	2012	WMIC.exe
Token: SeProfSingleProcessPrivilege	2012	WMIC.exe
Token: SeIncBasePriorityPrivilege	2012	WMIC.exe
Token: SeCreatePagefilePrivilege	2012	WMIC.exe
Token: SeBackupPrivilege	2012	WMIC.exe
Token: SeRestorePrivilege	2012	WMIC.exe
Token: SeShutdownPrivilege	2012	WMIC.exe
Token: SeDebugPrivilege	2012	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2012	WMIC.exe
Token: SeRemoteShutdownPrivilege	2012	WMIC.exe
Token: SeUndockPrivilege	2012	WMIC.exe
Token: SeManageVolumePrivilege	2012	WMIC.exe
Token: 33	2012	WMIC.exe
Token: 34	2012	WMIC.exe
Token: 35	2012	WMIC.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2632	!WannaDecryptor!.exe
2632	!WannaDecryptor!.exe
608	!WannaDecryptor!.exe
608	!WannaDecryptor!.exe
792	!WannaDecryptor!.exe
792	!WannaDecryptor!.exe
2704	!WannaDecryptor!.exe
2704	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1600	1520	WannaCry.exe	28
PID 1520 wrote to memory of 1600	1520	WannaCry.exe	28
PID 1520 wrote to memory of 1600	1520	WannaCry.exe	28
PID 1520 wrote to memory of 1600	1520	WannaCry.exe	28
PID 1600 wrote to memory of 2992	1600	cmd.exe	30
PID 1600 wrote to memory of 2992	1600	cmd.exe	30
PID 1600 wrote to memory of 2992	1600	cmd.exe	30
PID 1600 wrote to memory of 2992	1600	cmd.exe	30
PID 1520 wrote to memory of 2632	1520	WannaCry.exe	31
PID 1520 wrote to memory of 2632	1520	WannaCry.exe	31
PID 1520 wrote to memory of 2632	1520	WannaCry.exe	31
PID 1520 wrote to memory of 2632	1520	WannaCry.exe	31
PID 1520 wrote to memory of 788	1520	WannaCry.exe	32
PID 1520 wrote to memory of 788	1520	WannaCry.exe	32
PID 1520 wrote to memory of 788	1520	WannaCry.exe	32
PID 1520 wrote to memory of 788	1520	WannaCry.exe	32
PID 1520 wrote to memory of 716	1520	WannaCry.exe	33
PID 1520 wrote to memory of 716	1520	WannaCry.exe	33
PID 1520 wrote to memory of 716	1520	WannaCry.exe	33
PID 1520 wrote to memory of 716	1520	WannaCry.exe	33
PID 1520 wrote to memory of 604	1520	WannaCry.exe	36
PID 1520 wrote to memory of 604	1520	WannaCry.exe	36
PID 1520 wrote to memory of 604	1520	WannaCry.exe	36
PID 1520 wrote to memory of 604	1520	WannaCry.exe	36
PID 1520 wrote to memory of 1652	1520	WannaCry.exe	37
PID 1520 wrote to memory of 1652	1520	WannaCry.exe	37
PID 1520 wrote to memory of 1652	1520	WannaCry.exe	37
PID 1520 wrote to memory of 1652	1520	WannaCry.exe	37
PID 1520 wrote to memory of 608	1520	WannaCry.exe	42
PID 1520 wrote to memory of 608	1520	WannaCry.exe	42
PID 1520 wrote to memory of 608	1520	WannaCry.exe	42
PID 1520 wrote to memory of 608	1520	WannaCry.exe	42
PID 1520 wrote to memory of 1816	1520	WannaCry.exe	43
PID 1520 wrote to memory of 1816	1520	WannaCry.exe	43
PID 1520 wrote to memory of 1816	1520	WannaCry.exe	43
PID 1520 wrote to memory of 1816	1520	WannaCry.exe	43
PID 1816 wrote to memory of 792	1816	cmd.exe	45
PID 1816 wrote to memory of 792	1816	cmd.exe	45
PID 1816 wrote to memory of 792	1816	cmd.exe	45
PID 1816 wrote to memory of 792	1816	cmd.exe	45
PID 1520 wrote to memory of 2704	1520	WannaCry.exe	46
PID 1520 wrote to memory of 2704	1520	WannaCry.exe	46
PID 1520 wrote to memory of 2704	1520	WannaCry.exe	46
PID 1520 wrote to memory of 2704	1520	WannaCry.exe	46
PID 792 wrote to memory of 604	792	!WannaDecryptor!.exe	47
PID 792 wrote to memory of 604	792	!WannaDecryptor!.exe	47
PID 792 wrote to memory of 604	792	!WannaDecryptor!.exe	47
PID 792 wrote to memory of 604	792	!WannaDecryptor!.exe	47
PID 604 wrote to memory of 2064	604	cmd.exe	49
PID 604 wrote to memory of 2064	604	cmd.exe	49
PID 604 wrote to memory of 2064	604	cmd.exe	49
PID 604 wrote to memory of 2064	604	cmd.exe	49
PID 604 wrote to memory of 2012	604	cmd.exe	51
PID 604 wrote to memory of 2012	604	cmd.exe	51
PID 604 wrote to memory of 2012	604	cmd.exe	51
PID 604 wrote to memory of 2012	604	cmd.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Malware-database-main\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\Malware-database-main\WannaCry.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 22791716847928.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - Loads dropped DLL
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\Malware-database-main\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\Malware-database-main\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Malware-database-main\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2064
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
- C:\Users\Admin\AppData\Local\Temp\Malware-database-main\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Malware-database-main\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
6400d88483be36c8c68857e2eaae48ad

SHA1
cfb7924a86cb7ccb8c8436c05cd3a21362dc2eab

SHA256
74c8d1df1d14f6ef90b95db6d0d63d70edb363446f4b6da595667ae7802c2c29

SHA512
3583ab5993ee5a23264699fcf4679ca974af6499500f5ed3747323d208dbf2a44592981a01439cc74ad52e0d9d536161914139eb974749d525fefe9952cc80d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\00000000.res

Filesize
136B

MD5
7d30fd57ffc4c98a4ef55d99b81ff639

SHA1
7d77f27ab1e56eebbab73131c2b27175fe7da3a0

SHA256
5538a2460c6db4b6b2e1ad198cf9c96af967b117de03a4acc82e5490f632a3ec

SHA512
cc4dd371c415841e0675271c48e44581116d298a3cf2dc301632d91dd1afc8fc2c59b3b803ea40bf3c2fd8b4cf5e69d283021d0317fba6207b904fb3e2d31664

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\00000000.res

Filesize
136B

MD5
217cc9072711a57cd765d012104e95bb

SHA1
23503e4bb21b78f30442c0582d04c3f0f24ce782

SHA256
8f5d31c6e431e722f3381bc75e944db8a2212654900b68f841ac5826eae506ed

SHA512
9f4fe20689bef28a0138adf2168e28ef97e786bd261a2d97f71ebdc6f14148edbe086931d986a064341707d40ae862d6493fc6d0608e4d827c00686d3028014f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\00000000.res

Filesize
136B

MD5
14769f604e7d18d4ca8b16a7c4bc0a07

SHA1
536d1aef330fd6b826abc7c55ce7732b41079428

SHA256
e07e527197293ab77526cc14d26286120efa288405301a8a925e6c347cb0080d

SHA512
ab2d0edd775e7449e04f5ce2a5a74722c0c58096a6de40f0fd9275be2a248b45c55ae8ec86ba742c40ac3612a4093450ff7ca2375f2f3adc1cc39846446aa6b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\22791716847928.bat

Filesize
380B

MD5
71e08345a9f96647941595bc404e4304

SHA1
207f50600f9d261ff8fa88ba4f52dd2fc5bc13c5

SHA256
04ec40a225b6140fd35a92b66db0ddbcf96d31c4accf7183295c2321be9dcb16

SHA512
5c4bce405c86f688b2f3e6837dd24fc9db1485325965a17a841c191b25104ee9fdbf08d709b74f1fa9e752ad1374c391f3467dd7e448da38a7f1a27b38bc2e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\c.vbs

Filesize
263B

MD5
897fe8eafbce679f3f2ecae2f678753a

SHA1
3e0cef18216c559e6bdf9c1c5331d8d5d2e53398

SHA256
04a249282dfa17a672c10ada3dc9a3b71f518b33fdb953ad2f76d88bd60d2c7a

SHA512
979460bf2c9761e6f3d9c7f99efd3eaf60ac81dfdc7d7d8882c5f248afb04d2aa27885b6aad7140dc601c90a375e5e9e31bbd2efa06496541a74bcd75d2d71ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\c.wry

Filesize
628B

MD5
4c267572a1e82b195ddcc06eaacecbca

SHA1
ea4b21128ed47c16cacab6c7e5422e13fcd7c7e0

SHA256
1daf3c2974b9bdc5a5ea4bb453fc52b4a3efa74e08b01083775a424d0ab8728a

SHA512
63c2a89d6b52ad63c30ed7f7181a66dbe7644963de0021162848d29c63b4b7cb0da51f6502976b7763ea5eef60aa3ee11d9cd1c35ef5a0de933d528a810717cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Malware-database-main\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
memory/1520-7-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads