Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-07-2024 18:15
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral2
Sample
WannaCry.exe
Resource
win11-20240709-en
General
-
Target
WannaCry.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 2 IoCs
Processes:
WannaCry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE415.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE42C.tmp WannaCry.exe -
Executes dropped EXE 4 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2320 !WannaDecryptor!.exe 4836 !WannaDecryptor!.exe 2604 !WannaDecryptor!.exe 4344 !WannaDecryptor!.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WannaCry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" WannaCry.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
taskkill.exe!WannaDecryptor!.exetaskkill.execmd.execmd.exeWannaCry.execmd.execscript.exe!WannaDecryptor!.exetaskkill.exetaskkill.exe!WannaDecryptor!.exe!WannaDecryptor!.exeWMIC.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2956 taskkill.exe 4972 taskkill.exe 2520 taskkill.exe 4348 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2956 taskkill.exe Token: SeDebugPrivilege 2520 taskkill.exe Token: SeDebugPrivilege 4972 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeIncreaseQuotaPrivilege 628 WMIC.exe Token: SeSecurityPrivilege 628 WMIC.exe Token: SeTakeOwnershipPrivilege 628 WMIC.exe Token: SeLoadDriverPrivilege 628 WMIC.exe Token: SeSystemProfilePrivilege 628 WMIC.exe Token: SeSystemtimePrivilege 628 WMIC.exe Token: SeProfSingleProcessPrivilege 628 WMIC.exe Token: SeIncBasePriorityPrivilege 628 WMIC.exe Token: SeCreatePagefilePrivilege 628 WMIC.exe Token: SeBackupPrivilege 628 WMIC.exe Token: SeRestorePrivilege 628 WMIC.exe Token: SeShutdownPrivilege 628 WMIC.exe Token: SeDebugPrivilege 628 WMIC.exe Token: SeSystemEnvironmentPrivilege 628 WMIC.exe Token: SeRemoteShutdownPrivilege 628 WMIC.exe Token: SeUndockPrivilege 628 WMIC.exe Token: SeManageVolumePrivilege 628 WMIC.exe Token: 33 628 WMIC.exe Token: 34 628 WMIC.exe Token: 35 628 WMIC.exe Token: 36 628 WMIC.exe Token: SeIncreaseQuotaPrivilege 628 WMIC.exe Token: SeSecurityPrivilege 628 WMIC.exe Token: SeTakeOwnershipPrivilege 628 WMIC.exe Token: SeLoadDriverPrivilege 628 WMIC.exe Token: SeSystemProfilePrivilege 628 WMIC.exe Token: SeSystemtimePrivilege 628 WMIC.exe Token: SeProfSingleProcessPrivilege 628 WMIC.exe Token: SeIncBasePriorityPrivilege 628 WMIC.exe Token: SeCreatePagefilePrivilege 628 WMIC.exe Token: SeBackupPrivilege 628 WMIC.exe Token: SeRestorePrivilege 628 WMIC.exe Token: SeShutdownPrivilege 628 WMIC.exe Token: SeDebugPrivilege 628 WMIC.exe Token: SeSystemEnvironmentPrivilege 628 WMIC.exe Token: SeRemoteShutdownPrivilege 628 WMIC.exe Token: SeUndockPrivilege 628 WMIC.exe Token: SeManageVolumePrivilege 628 WMIC.exe Token: 33 628 WMIC.exe Token: 34 628 WMIC.exe Token: 35 628 WMIC.exe Token: 36 628 WMIC.exe Token: SeBackupPrivilege 3488 vssvc.exe Token: SeRestorePrivilege 3488 vssvc.exe Token: SeAuditPrivilege 3488 vssvc.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2320 !WannaDecryptor!.exe 2320 !WannaDecryptor!.exe 4836 !WannaDecryptor!.exe 4836 !WannaDecryptor!.exe 2604 !WannaDecryptor!.exe 2604 !WannaDecryptor!.exe 4344 !WannaDecryptor!.exe 4344 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exedescription pid process target process PID 324 wrote to memory of 2604 324 WannaCry.exe cmd.exe PID 324 wrote to memory of 2604 324 WannaCry.exe cmd.exe PID 324 wrote to memory of 2604 324 WannaCry.exe cmd.exe PID 2604 wrote to memory of 1380 2604 cmd.exe cscript.exe PID 2604 wrote to memory of 1380 2604 cmd.exe cscript.exe PID 2604 wrote to memory of 1380 2604 cmd.exe cscript.exe PID 324 wrote to memory of 2320 324 WannaCry.exe !WannaDecryptor!.exe PID 324 wrote to memory of 2320 324 WannaCry.exe !WannaDecryptor!.exe PID 324 wrote to memory of 2320 324 WannaCry.exe !WannaDecryptor!.exe PID 324 wrote to memory of 2956 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 2956 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 2956 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 4972 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 4972 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 4972 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 2520 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 2520 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 2520 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 4348 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 4348 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 4348 324 WannaCry.exe taskkill.exe PID 324 wrote to memory of 4836 324 WannaCry.exe !WannaDecryptor!.exe PID 324 wrote to memory of 4836 324 WannaCry.exe !WannaDecryptor!.exe PID 324 wrote to memory of 4836 324 WannaCry.exe !WannaDecryptor!.exe PID 324 wrote to memory of 1232 324 WannaCry.exe cmd.exe PID 324 wrote to memory of 1232 324 WannaCry.exe cmd.exe PID 324 wrote to memory of 1232 324 WannaCry.exe cmd.exe PID 1232 wrote to memory of 2604 1232 cmd.exe !WannaDecryptor!.exe PID 1232 wrote to memory of 2604 1232 cmd.exe !WannaDecryptor!.exe PID 1232 wrote to memory of 2604 1232 cmd.exe !WannaDecryptor!.exe PID 324 wrote to memory of 4344 324 WannaCry.exe !WannaDecryptor!.exe PID 324 wrote to memory of 4344 324 WannaCry.exe !WannaDecryptor!.exe PID 324 wrote to memory of 4344 324 WannaCry.exe !WannaDecryptor!.exe PID 2604 wrote to memory of 1076 2604 !WannaDecryptor!.exe cmd.exe PID 2604 wrote to memory of 1076 2604 !WannaDecryptor!.exe cmd.exe PID 2604 wrote to memory of 1076 2604 !WannaDecryptor!.exe cmd.exe PID 1076 wrote to memory of 628 1076 cmd.exe WMIC.exe PID 1076 wrote to memory of 628 1076 cmd.exe WMIC.exe PID 1076 wrote to memory of 628 1076 cmd.exe WMIC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 58861721758547.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2320 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4972 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2520 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4836 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4344
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
1KB
MD52d40995b5998a0083e96767415403a4f
SHA14bb6329661ab844928ac7307b8d2be59d3d7de2e
SHA256e7edf946dbfb6588e45abf2e31fdf52bc4d53cdde0481fb344b8eeb63b68e237
SHA512360c3bdf0b1a54cabf94497676bc8dc08e73da5f31bd549f7ae69d0d9670262620a05aff4fb6b488a3c477a88ab968307dd2e6ab8e9963762fe5151dd1ef59ac
-
Filesize
136B
MD5f4c9d16fce6b75737dfbd72d18986808
SHA14a999c603675c4f5cb5c9ddddcf24faa099b71b3
SHA256581f65891989c80276283f870dc4860ac00685ae90bfd3be6927fff2e4a2262b
SHA512d464070c0daf023156001739584feddb58a704837c8be36e033ece0a6ac24451332640d601474c96e3217e19da5e6a77c7ed8217d223b34c3f5510df8bb5b596
-
Filesize
136B
MD556ee89921651943f54ab930a85a56b41
SHA18c6b1d25b4db1758c8ad478f25e3f6d7f360d51b
SHA256b83dc34e044ed7b32542cb1c3c8f0598460916430bf311c8026349448c12d826
SHA512178e0675efb4920b78a7e46ed09f962ba27e07a9fe89a25723f20051c02425e15f721bc446bab63d15e1b696d69a748cfeffb2b473172314b2451e45a0291eb7
-
Filesize
136B
MD501aa653113655d829ebf7953bb15b986
SHA1a53e29a897e9af30d81c99a72fb3372292d5bc41
SHA256758663530124e63ad508b240b5b61053406eee81279a432da81f017a3cdb39a1
SHA51232f4202f82987e3921c8ff9d0493e77f807e85fb46af695f4484d6116a0797e25ccc23785e343b53e7e7bf509d790334516ee4dcbb2310d9054dfd74df0894d2
-
Filesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
Filesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
Filesize
628B
MD5e7c5cf531f7d00874e00ffb3c1c34a87
SHA1199c789d53bc7c78f126f3b69b17a95968300141
SHA2565857a15e2783293fda7ffe7feea3904d128e18cce4352b1e2c25812df38286d4
SHA5126569ac5521e7cca593a02a841b52479645d3eb1238395f720690c394e7e82796aa3f39a30d068d86c29e3061bd9919c3430e4c33cb3c4b2258bae024d8b33f64
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5