wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
1s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-06-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Executes dropped EXE 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

2720 !WannaDecryptor!.exe
Loads dropped DLL 3 IoCs

Processes:

cscript.exeWannaCry.exe

pid process

2620 cscript.exe
3028 WannaCry.exe
3028 WannaCry.exe

pid	process
2720	!WannaDecryptor!.exe

pid	process
2620	cscript.exe
3028	WannaCry.exe
3028	WannaCry.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1068 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2084 taskkill.exe
2124 taskkill.exe
2508 taskkill.exe
2040 taskkill.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

!WannaDecryptor!.exe

pid process

2720 !WannaDecryptor!.exe
2720 !WannaDecryptor!.exe

pid	process
1068	vssadmin.exe

pid	process
2084	taskkill.exe
2124	taskkill.exe
2508	taskkill.exe
2040	taskkill.exe

pid	process
2720	!WannaDecryptor!.exe
2720	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

WannaCry.execmd.exe

description	pid	process	target process
PID 3028 wrote to memory of 2944	3028	WannaCry.exe	cmd.exe
PID 3028 wrote to memory of 2944	3028	WannaCry.exe	cmd.exe
PID 3028 wrote to memory of 2944	3028	WannaCry.exe	cmd.exe
PID 3028 wrote to memory of 2944	3028	WannaCry.exe	cmd.exe
PID 2944 wrote to memory of 2620	2944	cmd.exe	cscript.exe
PID 2944 wrote to memory of 2620	2944	cmd.exe	cscript.exe
PID 2944 wrote to memory of 2620	2944	cmd.exe	cscript.exe
PID 2944 wrote to memory of 2620	2944	cmd.exe	cscript.exe
PID 3028 wrote to memory of 2720	3028	WannaCry.exe	!WannaDecryptor!.exe
PID 3028 wrote to memory of 2720	3028	WannaCry.exe	!WannaDecryptor!.exe
PID 3028 wrote to memory of 2720	3028	WannaCry.exe	!WannaDecryptor!.exe
PID 3028 wrote to memory of 2720	3028	WannaCry.exe	!WannaDecryptor!.exe
PID 3028 wrote to memory of 2040	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2040	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2040	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2040	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2508	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2508	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2508	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2508	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2124	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2124	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2124	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2124	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2084	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2084	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2084	3028	WannaCry.exe	taskkill.exe
PID 3028 wrote to memory of 2084	3028	WannaCry.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\cmd.exe
cmd /c 313761717723181.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- Loads dropped DLL
PID:2620

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
PID:2040

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
PID:2508

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
PID:2124

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
PID:2084

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
PID:2764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:268

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1068

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
PID:1088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
921B

MD5
609b2625705a6fd9546a48dbd4336496

SHA1
a57b4f26b451b46f9938226bdd6db57efce1bef7

SHA256
151f965246a43a36dd54a5c8d26da101a7636d61d981a143b9f355d27f85782c

SHA512
9f770c1187e58af8b01758ef72d4f5599b4745433923a3a7ef21875b1f3f4cfbbf3119ff50623b213ac536451561294c52389196ca73a665375b08d443428124

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
512ae7a49bf5664efdc1160db7ffcc2e

SHA1
c8993620b3e91adf9eb9468aca07230e2d25a7e9

SHA256
5bab9e710baad101050d9dc50dce90b656d6f2131ead987bd1d5dc2fddb454cd

SHA512
25e482627b448677665b42622234c240c9234f90849a5136315628d32b7e5c30d95ef21f3a69b600032d1fc47895a96e92db62810935613613874d3d7d8cee09

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
0ac875d44887bb0f4c535b2bfb437635

SHA1
1da2bfdf6f58fc0379eaa9b2dc827344699703ac

SHA256
5457542fb92cf3a385f0c84467c1e2ef83cbfab37aef470bd8eb740a5885d425

SHA512
25162001910f80926d54034e9aa36d297be31239faa5a72b2501957600bffb2587b2aceb182223f2c7f56190f650d1cff01f0efe455c9ebe65696da50f5edea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
a0de6d3e54c0f613536478346b61fcd5

SHA1
a12c36ad2b1df992b2f794fe96d62d9a27d86bb2

SHA256
cd2a37d8bcc89a329c7c6b3c0479a1d2d49479b9d37f0096486e553556cc29fa

SHA512
7258d5ef858e68ba819ebedb4d4c7e6ddcd11b3c922c03fcb4a4b486a459bccf88946e367a40108fc39a72ae25aae5aec0dcc6712b32c9c8f3cf3dd4919adb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\313761717723181.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
e1f777d02c6b81d94208f1e2e469bb73

SHA1
88758901e0cae40353a2dc040b8282b796cae9cb

SHA256
cded9e454f5bbda32652e5bc663e903c9f67c24416bf2e595897ad604cbde154

SHA512
c40f4a1289cc6a28cc5f34277bee425774b51b491fa30a9ddfbb5ad14b4a22baf03405e064c67357e226d82630711a90f2cae1b98f59bcd3bec8f1c0fdf95e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/3028-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download