Analysis
-
max time kernel
29s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-10-2024 18:52
General
-
Target
WannaCry.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\Documents\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Kills process with taskkill 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 47 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c 199441729450364.bat2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
921B
MD53fda739a358c37ea2076ce1e607d0fde
SHA10cbdedc919885e77a89cacf172c3d4e87990bf62
SHA2562d1c8bbf2b0ee5b0d987405353825d9b6b384b54e438dcf7f6732d1d301374d3
SHA5128c411a9523d54d7d39b74bf0d2b11f11c0854ecf53ede193bf4b1c21dc1182ac2dbe30be90eb7bdc44e50d75505a31b4ae6ef82462ecbb061f90dcd3c1f5ae26
-
Filesize
136B
MD5ed5ab9da13d83bdc391e46465ab4bc17
SHA155318809c719624b2fc7964176f2edf38b49f8a0
SHA256cf2401ebba6104fdcf797a0fc7c2d954b740f2cb529a89b72e784d85a633c543
SHA512d8bad336070998ecdca1e3a33cca8f02c9943d8f88d3a30e81dfd9d183501b9bc1348125e3b112cb55fb74d10916b1954f1c20410989e0e9b298f2cc32365dcd
-
Filesize
136B
MD562812f4b112376d366f4a28d1c218cf1
SHA1e891625e52d04af5989bf453db4aaa12b09b7d3f
SHA256421b6bcf1be52768a79e71944d889b19bb8f73941fbef6940fb51690b278f9e2
SHA51217ecf88ac0be2c6ebb2b6ce42705c3f0e101da77ea1914c57a3298b725fc74db448580be4a44b0e15c55d4ecbbe5bfaa15f24e3eec0b280e6ca96efa33d0520d
-
Filesize
136B
MD531c4681a11006590913153dd14906699
SHA16e7678e716f27552698e008c0b2c97ea6ead5a5b
SHA2561cccef862e69ad81ecd62dfbba6daad0f786b261fe52104852f3b6cf3d12df99
SHA5121e4802c6e9c52ee4522d2a66d6c03f0490065c84e298cc8f5b08e64d6ee5407c672a790570634507fdb01874926b56616519a895f8a0431f2084f488b20a050f
-
Filesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
Filesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
Filesize
628B
MD5d5826e36a887bf8a4905d3a7df12f8e6
SHA1b208d89da4bcc9ba38db50f90513e5cff818f1de
SHA2569e436a4f8eae5ed4836d9883c572612ae11d15761a430d0eae314d96a43ea081
SHA512b2fb4e33571cbc1b424e9c2b36fbc1c7f8564b00a92df6fb335f8252fdcf5a05dc690de86d762f6e075cf735770d7935f8e3404c2ccb2dda5daef49e1432bdb1
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
72KB