wannacry | b0e67944726a2d7a14c9ce5fbfa1914b85666d547cc09118b278e89aeb5307cd

General

Target

WannaCry.exe
Size

623KB
MD5

eea571229a25bc2f5b59dce07c361cb2
SHA1

b341437a1f94d645e5628d8491f068de1a049fb9
SHA256

b0e67944726a2d7a14c9ce5fbfa1914b85666d547cc09118b278e89aeb5307cd
SHA512

1b52740a0fbbb26cd8ad94167b443a81761ba8d48ae9b2931c924a2dcacb3de1727faf12858714712e863cd8d4a6412780ee466e45765565e707422ace583fca
SSDEEP

12288:JzNGgFeDQ8sYnJl6+CIxNbMV6DqJ598Fu8l3hIX61Ho7:TGKUQ8sYJlFtMV6DqJ4u8lQ6S7

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Executes dropped EXE 2 IoCs

pid	Process
2684	Starter.exe
2640	@[email protected]

Loads dropped DLL 5 IoCs

pid	Process
2448	WannaCry.exe
2448	WannaCry.exe
2448	WannaCry.exe
2684	Starter.exe
2684	Starter.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Control Panel\Desktop\Wallpaper = "C:\\Fake\\@[email protected]"	Starter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2640	@[email protected]

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	@[email protected]
2640	@[email protected]

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2684	2448	WannaCry.exe	28
PID 2448 wrote to memory of 2684	2448	WannaCry.exe	28
PID 2448 wrote to memory of 2684	2448	WannaCry.exe	28
PID 2448 wrote to memory of 2684	2448	WannaCry.exe	28
PID 2684 wrote to memory of 2640	2684	Starter.exe	30
PID 2684 wrote to memory of 2640	2684	Starter.exe	30
PID 2684 wrote to memory of 2640	2684	Starter.exe	30
PID 2684 wrote to memory of 2640	2684	Starter.exe	30

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Fake\Starter.exe
  "C:\Fake\Starter.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Fake\@[email protected]
    C:\Fake\@[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Fake\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Fake\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Fake\c.wnry

Filesize
781B

MD5
998db8ebce70eefeab304ede37a0f7ba

SHA1
e9776d7163c3f3cd7b4cf93a07e6c5993d0a4280

SHA256
8cbb3d1d5686ac757ca7fc3d72c0f55983567382d4bd580b56fa5bc267a20a5f

SHA512
98cb532c485cac4e3b03743d980e0680354304e893c8295385985e14503569e5f8d6a5fd3aadddb00a19dfe0cd718da6f9282332a63ec8ddbbbe6f90eacc881f

Download Submit
C:\Fake\msg\m_English.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Fake\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Fake\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
\Fake\Starter.exe

Filesize
76KB

MD5
ad38305ac309c46033e2c65a25abc61f

SHA1
8e4fb6f0b4e62c2b6fdb92c4f5d884a7f7867bfd

SHA256
236e79f52960f6c8ec5c5ff9d15026953e2100c7c7ec8d1d2d6ee17e3ea5c8a4

SHA512
7be823bd1d2941253c38227faf23efe3801450f958a5ebd751354a8b672922c35d23df03c9e6af398fe4e15d4864dc78c68e52483af9b7e9840dab2c4245be44

Download Submit

Analysis

Sharing