wannacry | b0e67944726a2d7a14c9ce5fbfa1914b85666d547cc09118b278e89aeb5307cd

General

Target

WannaCry.exe
Size

623KB
MD5

eea571229a25bc2f5b59dce07c361cb2
SHA1

b341437a1f94d645e5628d8491f068de1a049fb9
SHA256

b0e67944726a2d7a14c9ce5fbfa1914b85666d547cc09118b278e89aeb5307cd
SHA512

1b52740a0fbbb26cd8ad94167b443a81761ba8d48ae9b2931c924a2dcacb3de1727faf12858714712e863cd8d4a6412780ee466e45765565e707422ace583fca
SSDEEP

12288:JzNGgFeDQ8sYnJl6+CIxNbMV6DqJ598Fu8l3hIX61Ho7:TGKUQ8sYJlFtMV6DqJ4u8lQ6S7

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 2 IoCs

Processes:

Starter.exe@[email protected]

pid process

2688 Starter.exe
1668 @[email protected]
Loads dropped DLL 5 IoCs

Processes:

WannaCry.exeStarter.exe

pid process

2972 WannaCry.exe
2972 WannaCry.exe
2972 WannaCry.exe
2688 Starter.exe
2688 Starter.exe

pid	process
2688	Starter.exe
1668	@[email protected]

pid	process
2972	WannaCry.exe
2972	WannaCry.exe
2972	WannaCry.exe
2688	Starter.exe
2688	Starter.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]Starter.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Fake\\@[email protected]"	Starter.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

@[email protected]

pid process

1668 @[email protected]
1668 @[email protected]

pid	process
1668	@[email protected]
1668	@[email protected]

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WannaCry.exeStarter.exe

description	pid	process	target process
PID 2972 wrote to memory of 2688	2972	WannaCry.exe	Starter.exe
PID 2972 wrote to memory of 2688	2972	WannaCry.exe	Starter.exe
PID 2972 wrote to memory of 2688	2972	WannaCry.exe	Starter.exe
PID 2972 wrote to memory of 2688	2972	WannaCry.exe	Starter.exe
PID 2688 wrote to memory of 1668	2688	Starter.exe	@[email protected]
PID 2688 wrote to memory of 1668	2688	Starter.exe	@[email protected]
PID 2688 wrote to memory of 1668	2688	Starter.exe	@[email protected]
PID 2688 wrote to memory of 1668	2688	Starter.exe	@[email protected]

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972

C:\Fake\Starter.exe
"C:\Fake\Starter.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2688

C:\Fake\@[email protected]
C:\Fake\@[email protected]
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Fake\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Fake\c.wnry

Filesize
781B

MD5
686c07eb756f32ae91c82d4cbcfc1b45

SHA1
23c71e7372ae7b5738e50b23e0dfb430c5bbfbaa

SHA256
554e9a21e53457222ad3155ad342d31106e262c606d86fc44c20c4f5aca1c94f

SHA512
6b85756bc144ba4c4d173588ba2e2916e4dece6637c7be92e950856f62975c60329daeac27ddcaaa6a1e67b375937cacaac5545d9b67d0466b6b8fdd7aae7804

Download Submit
C:\Fake\msg\m_English.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Fake\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Fake\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
\Fake\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
\Fake\Starter.exe

Filesize
76KB

MD5
ad38305ac309c46033e2c65a25abc61f

SHA1
8e4fb6f0b4e62c2b6fdb92c4f5d884a7f7867bfd

SHA256
236e79f52960f6c8ec5c5ff9d15026953e2100c7c7ec8d1d2d6ee17e3ea5c8a4

SHA512
7be823bd1d2941253c38227faf23efe3801450f958a5ebd751354a8b672922c35d23df03c9e6af398fe4e15d4864dc78c68e52483af9b7e9840dab2c4245be44

Download Submit

Analysis

Sharing