c91b0e133ade231645d08ba9fa03fe3f3b971316513d725c6bdd1d45c09447a6

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 20:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe
Size

57KB
MD5

dbd00ddc3271a18107e33634bd59290e
SHA1

e0932e95d3617055ede7e4c0e89eef26c127a219
SHA256

c91b0e133ade231645d08ba9fa03fe3f3b971316513d725c6bdd1d45c09447a6
SHA512

5a8b77337168f02953645a61922ae93142bf02afc991f1a5d67293d00c50c0d3a01ddbac352fbd52314bb3e1988878c172afd191ee3a9423cfa2852d1fbc47e7
SSDEEP

768:kVfM7722n0Mnvqc/ndEP0wiu2R1Mm4/U76pURqO77xQ+VORH:2N2df/ndEmqUk+7xQ+Vs

Score

9^/10

defense_evasion execution impact ransomware

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detects command variations typically used by ransomware 1 IoCs

resource	yara_rule
behavioral1/memory/1400-1-0x00000000012F0000-0x0000000001302000-memory.dmp	INDICATOR_SUSPICIOUS_GENRansomware

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2704	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2412	wmic.exe
Token: SeSecurityPrivilege	2412	wmic.exe
Token: SeTakeOwnershipPrivilege	2412	wmic.exe
Token: SeLoadDriverPrivilege	2412	wmic.exe
Token: SeSystemProfilePrivilege	2412	wmic.exe
Token: SeSystemtimePrivilege	2412	wmic.exe
Token: SeProfSingleProcessPrivilege	2412	wmic.exe
Token: SeIncBasePriorityPrivilege	2412	wmic.exe
Token: SeCreatePagefilePrivilege	2412	wmic.exe
Token: SeBackupPrivilege	2412	wmic.exe
Token: SeRestorePrivilege	2412	wmic.exe
Token: SeShutdownPrivilege	2412	wmic.exe
Token: SeDebugPrivilege	2412	wmic.exe
Token: SeSystemEnvironmentPrivilege	2412	wmic.exe
Token: SeRemoteShutdownPrivilege	2412	wmic.exe
Token: SeUndockPrivilege	2412	wmic.exe
Token: SeManageVolumePrivilege	2412	wmic.exe
Token: 33	2412	wmic.exe
Token: 34	2412	wmic.exe
Token: 35	2412	wmic.exe
Token: SeIncreaseQuotaPrivilege	2412	wmic.exe
Token: SeSecurityPrivilege	2412	wmic.exe
Token: SeTakeOwnershipPrivilege	2412	wmic.exe
Token: SeLoadDriverPrivilege	2412	wmic.exe
Token: SeSystemProfilePrivilege	2412	wmic.exe
Token: SeSystemtimePrivilege	2412	wmic.exe
Token: SeProfSingleProcessPrivilege	2412	wmic.exe
Token: SeIncBasePriorityPrivilege	2412	wmic.exe
Token: SeCreatePagefilePrivilege	2412	wmic.exe
Token: SeBackupPrivilege	2412	wmic.exe
Token: SeRestorePrivilege	2412	wmic.exe
Token: SeShutdownPrivilege	2412	wmic.exe
Token: SeDebugPrivilege	2412	wmic.exe
Token: SeSystemEnvironmentPrivilege	2412	wmic.exe
Token: SeRemoteShutdownPrivilege	2412	wmic.exe
Token: SeUndockPrivilege	2412	wmic.exe
Token: SeManageVolumePrivilege	2412	wmic.exe
Token: 33	2412	wmic.exe
Token: 34	2412	wmic.exe
Token: 35	2412	wmic.exe
Token: SeBackupPrivilege	2536	vssvc.exe
Token: SeRestorePrivilege	2536	vssvc.exe
Token: SeAuditPrivilege	2536	vssvc.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2412	1400	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe	29
PID 1400 wrote to memory of 2412	1400	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe	29
PID 1400 wrote to memory of 2412	1400	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe	29
PID 1400 wrote to memory of 2412	1400	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe	29
PID 1400 wrote to memory of 2704	1400	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe	30
PID 1400 wrote to memory of 2704	1400	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe	30
PID 1400 wrote to memory of 2704	1400	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe	30
PID 1400 wrote to memory of 2704	1400	2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe	30

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_dbd00ddc3271a18107e33634bd59290e_ngrbot_wannacry.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact