Overview

overview

10

Static

static

3

WannaCry.exe

windows10-1703-x64

10

Resubmissions

06-08-2024 18:54

240806-xkfalsxckp 10

06-08-2024 15:17

240806-spgxsawekf 10

06-08-2024 15:16

240806-snyh5swejf 10

06-08-2024 15:15

240806-smzptawdph 10

06-08-2024 14:54

240806-r9xnaswbjb 10

06-08-2024 01:49

240806-b88feazcka 10

Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-08-2024 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WannaCry.exe

  • Size

    224KB

  • MD5

    5c7fb0927db37372da25f270708103a2

  • SHA1

    120ed9279d85cbfa56e5b7779ffa7162074f7a29

  • SHA256

    be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

  • SHA512

    a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

  • SSDEEP

    3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score
10/10
wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 4 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
    "C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 139291722909013.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4512
      • C:\Windows\SysWOW64\cscript.exe
        cscript //nologo c.vbs
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4356
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe f
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4080
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im MSExchange*
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im Microsoft.Exchange.*
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:796
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlserver.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4304
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im sqlwriter.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4984
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe c
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1896
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b !WannaDecryptor!.exe v
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4312
      • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
        !WannaDecryptor!.exe v
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4460
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1612
          • C:\Windows\SysWOW64\vssadmin.exe
            vssadmin delete shadows /all /quiet
            5⤵
            • System Location Discovery: System Language Discovery
            • Interacts with shadow copies
            PID:4396
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic shadowcopy delete
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
    • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
      !WannaDecryptor!.exe
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3300
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
    Filesize

    797B

    MD5

    afa18cf4aa2660392111763fb93a8c3d

    SHA1

    c219a3654a5f41ce535a09f2a188a464c3f5baf5

    SHA256

    227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

    SHA512

    4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    Filesize

    236KB

    MD5

    cf1416074cd7791ab80a18f9e7e219d9

    SHA1

    276d2ec82c518d887a8a3608e51c56fa28716ded

    SHA256

    78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

    SHA512

    0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
    Filesize

    1KB

    MD5

    14f73f167e21a350e3d62ed8e4048265

    SHA1

    111922153c43ffa64454c7556790c67fd9031b0a

    SHA256

    ad21c8ac824d06ab41a955d30f40553d7416c79be320d0deffb4050118528ea2

    SHA512

    55fff220489c5cb721230049b5b258070b010a144d43a41b53c57449492d9a1be803799f5fdcb9492688a07bd411b36e1a2aeaab5790b8783ab93d31bfd9f56a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00000000.eky
    Filesize

    1KB

    MD5

    2fa6eb96567189c31e460188b0964b5d

    SHA1

    dd106ef486887a481665f300f04cd31b51d9d483

    SHA256

    716d3b061cefee56fb7b0c059eb35401c24483950ea1011415eccebee5dbf840

    SHA512

    aa11481e21feb32163303cc39318562b5dc41b796cf292694331ec1c464fdf8d3aca286b742e212a616dc2e0581fbd3216e9ac5fa2b54dffa6f507b6c9f7feb5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    1283c887820ecaa87a9681fcba880b1d

    SHA1

    573b52531de11202762a68d0fd4d6e109cc15ac4

    SHA256

    aa7d598dc2f9d38f9107a354d2552311f4b3bb5b8a0843274693807a8ba03717

    SHA512

    0c053f76e5b73814abb4fd60571043d2365bec75253537857dcd6f2a242f1c10ccb79bb94ed4d19d53cad128d531f16fee1e755fa6f9e4aced7ce9dee4d5fbb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    4e04cb6c10bd35ca70ab345f12d343c1

    SHA1

    a3b3820c78826e27250dcc3c2004cd9a589f55bb

    SHA256

    06d33a0371878f3caf9d544317109c7e917fc90d16f908972b61791d8f449765

    SHA512

    e7814aa7293a4ee22a1ea6da9c250ba4a98064704dd253c75663b5fe0583759169e55ee46021a03d50301ee5c3854e15566d58cef15fcb446c7433c779b42a52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    0dd4b5e808c43c5f53eac92ddd713a84

    SHA1

    a43c1c518323bbb0c10706f7c2b91cdf71d36cf6

    SHA256

    a0e88d5175c56487f2c2af99172b3fd75adb6ba80fb3ef4d6c0260aacd1a7b2d

    SHA512

    68055a61d35f2032ae66a7488c9f3fa4c76d933fc631b229839ff84251fc9e7e1dfdec6d80909e4809d8c2f3d6742a6fa2ad03fbd3c4dd45c447a54703af2354

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00000000.res
    Filesize

    136B

    MD5

    f0944c91f97bd493e4bf7707e86af814

    SHA1

    3f26b52a35e4ec6dfeae012c4f28e47d9f8c61ba

    SHA256

    44b51bc0638656055b94a6e8f39c29113dd7f46d182ffc6a691fabf00d5d6881

    SHA512

    65211e997874c159cfd91aca7890a033e12ba6ce6b2a72d3f3ed68b30e895949bcf08ff200852cb9992e84bc976cbf0b70e35e74b07d4aa02308e72c58345cdc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\139291722909013.bat
    Filesize

    336B

    MD5

    3540e056349c6972905dc9706cd49418

    SHA1

    492c20442d34d45a6d6790c720349b11ec591cde

    SHA256

    73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

    SHA512

    c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c.vbs
    Filesize

    219B

    MD5

    5f6d40ca3c34b470113ed04d06a88ff4

    SHA1

    50629e7211ae43e32060686d6be17ebd492fd7aa

    SHA256

    0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

    SHA512

    4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c.wry
    Filesize

    628B

    MD5

    58b6f3680223a45d3ce86306714c75da

    SHA1

    0a0de4746275fbdebe41435adb6b7ddd2e55ae75

    SHA256

    9c3263d9693a7a26ff2ad8d2a9860b2ae9e5d39cd04a1a59a080b7caaafe940e

    SHA512

    69955788ca29a9a6a36effa7aab524f3085fc4153b033534539beea9d8eebd7bf1e6146e7a5dfa55336d72e6723ab28eba37fc4bc05351e0719c55ef9181b794

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\m.wry
    Filesize

    42KB

    MD5

    980b08bac152aff3f9b0136b616affa5

    SHA1

    2a9c9601ea038f790cc29379c79407356a3d25a3

    SHA256

    402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

    SHA512

    100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

    Download Submit

  • memory/3380-6-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

    Download