wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
49s
max time network
18s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBB2F.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBB33.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
2868	!WannaDecryptor!.exe
772	!WannaDecryptor!.exe
1592	!WannaDecryptor!.exe
1652	!WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

pid	Process
2888	cscript.exe
2132	WannaCry.exe
2132	WannaCry.exe
2132	WannaCry.exe
2132	WannaCry.exe
2436	cmd.exe
2436	cmd.exe
2132	WannaCry.exe
2132	WannaCry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1856	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1672	taskkill.exe
1592	taskkill.exe
1956	taskkill.exe
1856	taskkill.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1652	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeBackupPrivilege	1212	vssvc.exe
Token: SeRestorePrivilege	1212	vssvc.exe
Token: SeAuditPrivilege	1212	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe
Token: 35	1468	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1468	WMIC.exe
Token: SeSecurityPrivilege	1468	WMIC.exe
Token: SeTakeOwnershipPrivilege	1468	WMIC.exe
Token: SeLoadDriverPrivilege	1468	WMIC.exe
Token: SeSystemProfilePrivilege	1468	WMIC.exe
Token: SeSystemtimePrivilege	1468	WMIC.exe
Token: SeProfSingleProcessPrivilege	1468	WMIC.exe
Token: SeIncBasePriorityPrivilege	1468	WMIC.exe
Token: SeCreatePagefilePrivilege	1468	WMIC.exe
Token: SeBackupPrivilege	1468	WMIC.exe
Token: SeRestorePrivilege	1468	WMIC.exe
Token: SeShutdownPrivilege	1468	WMIC.exe
Token: SeDebugPrivilege	1468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1468	WMIC.exe
Token: SeRemoteShutdownPrivilege	1468	WMIC.exe
Token: SeUndockPrivilege	1468	WMIC.exe
Token: SeManageVolumePrivilege	1468	WMIC.exe
Token: 33	1468	WMIC.exe
Token: 34	1468	WMIC.exe
Token: 35	1468	WMIC.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2868	!WannaDecryptor!.exe
2868	!WannaDecryptor!.exe
772	!WannaDecryptor!.exe
772	!WannaDecryptor!.exe
1592	!WannaDecryptor!.exe
1592	!WannaDecryptor!.exe
1652	!WannaDecryptor!.exe
1652	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2392	2132	WannaCry.exe	30
PID 2132 wrote to memory of 2392	2132	WannaCry.exe	30
PID 2132 wrote to memory of 2392	2132	WannaCry.exe	30
PID 2132 wrote to memory of 2392	2132	WannaCry.exe	30
PID 2392 wrote to memory of 2888	2392	cmd.exe	32
PID 2392 wrote to memory of 2888	2392	cmd.exe	32
PID 2392 wrote to memory of 2888	2392	cmd.exe	32
PID 2392 wrote to memory of 2888	2392	cmd.exe	32
PID 2132 wrote to memory of 2868	2132	WannaCry.exe	33
PID 2132 wrote to memory of 2868	2132	WannaCry.exe	33
PID 2132 wrote to memory of 2868	2132	WannaCry.exe	33
PID 2132 wrote to memory of 2868	2132	WannaCry.exe	33
PID 2132 wrote to memory of 1672	2132	WannaCry.exe	34
PID 2132 wrote to memory of 1672	2132	WannaCry.exe	34
PID 2132 wrote to memory of 1672	2132	WannaCry.exe	34
PID 2132 wrote to memory of 1672	2132	WannaCry.exe	34
PID 2132 wrote to memory of 1592	2132	WannaCry.exe	35
PID 2132 wrote to memory of 1592	2132	WannaCry.exe	35
PID 2132 wrote to memory of 1592	2132	WannaCry.exe	35
PID 2132 wrote to memory of 1592	2132	WannaCry.exe	35
PID 2132 wrote to memory of 1956	2132	WannaCry.exe	37
PID 2132 wrote to memory of 1956	2132	WannaCry.exe	37
PID 2132 wrote to memory of 1956	2132	WannaCry.exe	37
PID 2132 wrote to memory of 1956	2132	WannaCry.exe	37
PID 2132 wrote to memory of 1856	2132	WannaCry.exe	38
PID 2132 wrote to memory of 1856	2132	WannaCry.exe	38
PID 2132 wrote to memory of 1856	2132	WannaCry.exe	38
PID 2132 wrote to memory of 1856	2132	WannaCry.exe	38
PID 2132 wrote to memory of 772	2132	WannaCry.exe	44
PID 2132 wrote to memory of 772	2132	WannaCry.exe	44
PID 2132 wrote to memory of 772	2132	WannaCry.exe	44
PID 2132 wrote to memory of 772	2132	WannaCry.exe	44
PID 2132 wrote to memory of 2436	2132	WannaCry.exe	45
PID 2132 wrote to memory of 2436	2132	WannaCry.exe	45
PID 2132 wrote to memory of 2436	2132	WannaCry.exe	45
PID 2132 wrote to memory of 2436	2132	WannaCry.exe	45
PID 2436 wrote to memory of 1592	2436	cmd.exe	47
PID 2436 wrote to memory of 1592	2436	cmd.exe	47
PID 2436 wrote to memory of 1592	2436	cmd.exe	47
PID 2436 wrote to memory of 1592	2436	cmd.exe	47
PID 2132 wrote to memory of 1652	2132	WannaCry.exe	48
PID 2132 wrote to memory of 1652	2132	WannaCry.exe	48
PID 2132 wrote to memory of 1652	2132	WannaCry.exe	48
PID 2132 wrote to memory of 1652	2132	WannaCry.exe	48
PID 1592 wrote to memory of 2140	1592	!WannaDecryptor!.exe	50
PID 1592 wrote to memory of 2140	1592	!WannaDecryptor!.exe	50
PID 1592 wrote to memory of 2140	1592	!WannaDecryptor!.exe	50
PID 1592 wrote to memory of 2140	1592	!WannaDecryptor!.exe	50
PID 2140 wrote to memory of 1856	2140	cmd.exe	52
PID 2140 wrote to memory of 1856	2140	cmd.exe	52
PID 2140 wrote to memory of 1856	2140	cmd.exe	52
PID 2140 wrote to memory of 1856	2140	cmd.exe	52
PID 2140 wrote to memory of 1468	2140	cmd.exe	54
PID 2140 wrote to memory of 1468	2140	cmd.exe	54
PID 2140 wrote to memory of 1468	2140	cmd.exe	54
PID 2140 wrote to memory of 1468	2140	cmd.exe	54

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 282761723542729.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2868
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:1856
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
921B

MD5
fd858f9748ff94b0edabcbf8e3a8e1cb

SHA1
dbf36e43c9d4630a4575275dceff7e4028e2b563

SHA256
ea6430d45f2c0f792eeeb72eeb8f8bd52233d310d2e51cea22ca67a227163ddf

SHA512
97904dc0328c05b2f9bc174b2456190fbaf61e6d0dd56f39f2180c69ad0cee28f360ab732baab67a532ca84d8545c635628de9ea1e29e28c113c6d9cabd61573

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
272026938b7297b526ce70f66f8d365a

SHA1
690cf1f5dde00a495da0590c8a3079ef3687955a

SHA256
c99b218d0aff9496cc80d9742af2a1a46b36c05715182268014117fc2d0abcd3

SHA512
07be99702ee933ad1a39e8db93259431aebc6796efa3093d1d5fc98e98f795cfc1eeb4ace14a1d0d382de602e5c8f4f9cc80b3391edd3d42eb8ddd899c7a8dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
b873e676a7bfd360d81e14f2e9a56867

SHA1
a001beb219ceeba486780c98389ff36816d301e9

SHA256
8c2d504da3d27a40a14c893ed8dfe77c69f8526c6d29f5e611fb3a97243f02cf

SHA512
ff78e900a69cbbd1e6ec1d03b012ed593ff53b4a354b93a577ac076a17cb0700690030fd2bddc6daec6368fd690ddb7c9945c0a0a3c907cb6cc96ac7baea807c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
f3e29b964c79fc3663afbcfc0c7f71d8

SHA1
d0d40cbd5643caa0f5190a7a1a9d03b714e69891

SHA256
2180523c7d7a59e56c96346415cfdc42544d623d2717cf863b52c56d7492eee8

SHA512
a84da23609135340e2f24e7f83bff3833abeae0af0d21fc8e23c340c5b7b0e5d012fbb1e7f3768dbcb8e7cd4d96563c188191c3c5e687f0262d29f3c3ef274b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
b4eef926e1f94249135e5f5860fde42c

SHA1
10511e09d6aff1c7a5c8f791d7073e78f0f340f5

SHA256
971d2839c73cf1b300866b0d83c797052dea9e59f9d3e54c408d3535b1a1067d

SHA512
b58b0ee4a54c96079056b0877c0a3f9baa515e03496ef371255d2be9354e1a6f9c4ee60973c6c795541bde39be2d3171e7a4a49be8664c59521db91f3ff46847

Download Submit
C:\Users\Admin\AppData\Local\Temp\282761723542729.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
8dfc57497ed7beeebfd80441d807c42a

SHA1
c9bb4a85808047fc48b336209b339437053ac51d

SHA256
17ef5f967543bf20a4a32e81771ec2f54ee400eaf955d969c5c2cc849d30ab59

SHA512
7f3f3090db0ded03a3ff71ba881b519e9d5381c5f66be0e1d31e96703f5c38dda77fda82f7665cdc044f947b15d5153f61f2b2fc338e763d1149fcb6dba9e605

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
282B

MD5
d55dede4123e127f4ec1b52ef7dda496

SHA1
18df598fec1ec079ab80e57e6478a1e2d48bb736

SHA256
524d0bffc7d3ec05583e49d4af74ff24e1b66854da61f0294e6a4336eea9290b

SHA512
5191c63562641882f7b03157db720ff81550dad04f198c7c87acccf3509fb4df8785d00449522462f0bce62edd0c5da4e1c369e1bb7015a3d4aab519c8801e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\WriteRead.xltm.WCRY

Filesize
390KB

MD5
95fb5ed1c0cf1082d3b234b04ce15034

SHA1
254e64179f7777666e853ab441828d53d115d25f

SHA256
d8cb30bc37c3ee5fa7a8961c12d94647893137757dc6f6609297413da0074cd0

SHA512
29bfd2bb55229f28e47afff2591ffd5c6afbe8030dff44e8538244c7d172c4c85e5f619e77327ffc21245adcf315ae6bed274544cb04f32c67db59e9b29d8519

Download Submit
C:\Users\Admin\Pictures\FindResume.tif.WCRY

Filesize
588KB

MD5
f59af7a0dd4a9e244e9181462bb20b08

SHA1
15fc46d02a4d80c133b3f4ae877be8b74188eeba

SHA256
97622deae6db2a891abcbba96461d8223867b23c0b1648820246867b167d2f34

SHA512
c5a5a74b21bfa89737b2aece1eef8aa0e32d80536719e3234436a3c4a7a3ce31de51b930b6c46f584967404ba3221c35454fafe8680696408b0c73cc7ddf3829

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\user.bmp.WCRY

Filesize
48KB

MD5
657ab4c6ee6c232dccf51635eaa9caf5

SHA1
4bace2870ff19f01f9e0346d4a5263f13cb13cdb

SHA256
feee8f19650597ca3e25632e168ca3fc00c15847a6cdebb142c850aa3451e842

SHA512
ebedf118475edc09e9dce4fa4072fc6aeaa0b85e1e073eb508fa4c8962adbc7ed4faefae310ecf73f4e669dd6a52ac44abb22f5ddc467b742433cae2768959ec

Download Submit
C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WCRY

Filesize
504KB

MD5
1b79f0788a1fcaeac896f1d6ac3970d6

SHA1
61edbaa358c913f0313d60e472534e8d0920e223

SHA256
c639db66167d8c8f0c4b22fa00d801b1e822aae46ab1a3bdf0f1673bf75c1b14

SHA512
e0b40e99170b90f2727ef10fb8749eee0b9f3d9bcd5ee7ace3aaa75ad5a8f24755a68ca3660303fa05f1be7ad60f71857b1685c9a4d81823f59580e9076cbf6f

Download Submit
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.WCRY

Filesize
25.0MB

MD5
cdafcf4d6760123ccb6694cf0b370705

SHA1
ca8af3ae25a84deeea56a9161ef717b90aacf795

SHA256
93dd00e91b9a1585ac4faa1fa5954a8f2e41703a7de99fe2663d5d79752a09d2

SHA512
cd5b5a46e0b32e523091537a64934c6094085c39f29d8cdd444c75169065627200b5068947b50239fa8a8c702ab5eb44c7e8a42a09b3c6416a96972e9a683901

Download Submit
memory/2132-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads