Analysis
-
max time kernel
1s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-06-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
WannaCry.exe
Resource
win10v2004-20240226-en
General
-
Target
WannaCry.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\Documents\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
!WannaDecryptor!.exepid process 2720 !WannaDecryptor!.exe -
Loads dropped DLL 3 IoCs
Processes:
cscript.exeWannaCry.exepid process 2620 cscript.exe 3028 WannaCry.exe 3028 WannaCry.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WannaCry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" WannaCry.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1068 vssadmin.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2084 taskkill.exe 2124 taskkill.exe 2508 taskkill.exe 2040 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
!WannaDecryptor!.exepid process 2720 !WannaDecryptor!.exe 2720 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
WannaCry.execmd.exedescription pid process target process PID 3028 wrote to memory of 2944 3028 WannaCry.exe cmd.exe PID 3028 wrote to memory of 2944 3028 WannaCry.exe cmd.exe PID 3028 wrote to memory of 2944 3028 WannaCry.exe cmd.exe PID 3028 wrote to memory of 2944 3028 WannaCry.exe cmd.exe PID 2944 wrote to memory of 2620 2944 cmd.exe cscript.exe PID 2944 wrote to memory of 2620 2944 cmd.exe cscript.exe PID 2944 wrote to memory of 2620 2944 cmd.exe cscript.exe PID 2944 wrote to memory of 2620 2944 cmd.exe cscript.exe PID 3028 wrote to memory of 2720 3028 WannaCry.exe !WannaDecryptor!.exe PID 3028 wrote to memory of 2720 3028 WannaCry.exe !WannaDecryptor!.exe PID 3028 wrote to memory of 2720 3028 WannaCry.exe !WannaDecryptor!.exe PID 3028 wrote to memory of 2720 3028 WannaCry.exe !WannaDecryptor!.exe PID 3028 wrote to memory of 2040 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2040 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2040 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2040 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2508 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2508 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2508 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2508 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2124 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2124 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2124 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2124 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2084 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2084 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2084 3028 WannaCry.exe taskkill.exe PID 3028 wrote to memory of 2084 3028 WannaCry.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\cmd.execmd /c 313761717723181.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- Loads dropped DLL
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
PID:2040 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
PID:2508 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
PID:2124 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵PID:2764
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵PID:1352
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:268
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1068 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:1088
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
921B
MD5609b2625705a6fd9546a48dbd4336496
SHA1a57b4f26b451b46f9938226bdd6db57efce1bef7
SHA256151f965246a43a36dd54a5c8d26da101a7636d61d981a143b9f355d27f85782c
SHA5129f770c1187e58af8b01758ef72d4f5599b4745433923a3a7ef21875b1f3f4cfbbf3119ff50623b213ac536451561294c52389196ca73a665375b08d443428124
-
Filesize
136B
MD5512ae7a49bf5664efdc1160db7ffcc2e
SHA1c8993620b3e91adf9eb9468aca07230e2d25a7e9
SHA2565bab9e710baad101050d9dc50dce90b656d6f2131ead987bd1d5dc2fddb454cd
SHA51225e482627b448677665b42622234c240c9234f90849a5136315628d32b7e5c30d95ef21f3a69b600032d1fc47895a96e92db62810935613613874d3d7d8cee09
-
Filesize
136B
MD50ac875d44887bb0f4c535b2bfb437635
SHA11da2bfdf6f58fc0379eaa9b2dc827344699703ac
SHA2565457542fb92cf3a385f0c84467c1e2ef83cbfab37aef470bd8eb740a5885d425
SHA51225162001910f80926d54034e9aa36d297be31239faa5a72b2501957600bffb2587b2aceb182223f2c7f56190f650d1cff01f0efe455c9ebe65696da50f5edea8
-
Filesize
136B
MD5a0de6d3e54c0f613536478346b61fcd5
SHA1a12c36ad2b1df992b2f794fe96d62d9a27d86bb2
SHA256cd2a37d8bcc89a329c7c6b3c0479a1d2d49479b9d37f0096486e553556cc29fa
SHA5127258d5ef858e68ba819ebedb4d4c7e6ddcd11b3c922c03fcb4a4b486a459bccf88946e367a40108fc39a72ae25aae5aec0dcc6712b32c9c8f3cf3dd4919adb12
-
Filesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
Filesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
Filesize
628B
MD5e1f777d02c6b81d94208f1e2e469bb73
SHA188758901e0cae40353a2dc040b8282b796cae9cb
SHA256cded9e454f5bbda32652e5bc663e903c9f67c24416bf2e595897ad604cbde154
SHA512c40f4a1289cc6a28cc5f34277bee425774b51b491fa30a9ddfbb5ad14b4a22baf03405e064c67357e226d82630711a90f2cae1b98f59bcd3bec8f1c0fdf95e94
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5