Analysis Overview
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Threat Level: Known bad
The file WannaCry.exe was found to be: Known bad.
Malicious Activity Summary
Wannacry
Wannacry family
Deletes shadow copies
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
Adds Run key to start application
Sets desktop wallpaper using registry
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Kills process with taskkill
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 02:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 02:16
Reported
2024-11-11 02:52
Platform
win10v2004-20241007-en
Max time kernel
1790s
Max time network
1154s
Command Line
Signatures
Wannacry
Wannacry family
Deletes shadow copies
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9644.tmp | C:\Users\Admin\AppData\Local\Temp\WannaCry.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD965A.tmp | C:\Users\Admin\AppData\Local\Temp\WannaCry.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" | C:\Users\Admin\AppData\Local\Temp\WannaCry.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WannaCry.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 35601731291729.bat
C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9150 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.197.79.40.in-addr.arpa | udp |
Files
memory/1460-6-0x0000000010000000-0x0000000010012000-memory.dmp
memory/1460-7-0x0000000010000000-0x0000000010012000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u.wry
| MD5 | cf1416074cd7791ab80a18f9e7e219d9 |
| SHA1 | 276d2ec82c518d887a8a3608e51c56fa28716ded |
| SHA256 | 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df |
| SHA512 | 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5 |
C:\Users\Admin\AppData\Local\Temp\35601731291729.bat
| MD5 | 3540e056349c6972905dc9706cd49418 |
| SHA1 | 492c20442d34d45a6d6790c720349b11ec591cde |
| SHA256 | 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc |
| SHA512 | c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c |
C:\Users\Admin\AppData\Local\Temp\c.vbs
| MD5 | 5f6d40ca3c34b470113ed04d06a88ff4 |
| SHA1 | 50629e7211ae43e32060686d6be17ebd492fd7aa |
| SHA256 | 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1 |
| SHA512 | 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35 |
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
| MD5 | 7cbc43f63ea460e6a0ece2f0636f8f12 |
| SHA1 | 3a9e0837a33edd63f542baeaaf33f176aafba93e |
| SHA256 | d83b4e936b8c699e15f787d2fd62401d8548af44f010f14cfe65552ed7f95363 |
| SHA512 | 45b6aa5096e45a9a9e09053172214975d652bceae9088e28af88bb72a5798eb2fb510d099d83921837ec1753ff9710f62f319ab3e08066645d85c55d2ad6d9fb |
C:\Users\Admin\AppData\Local\Temp\c.wry
| MD5 | 663e55df21852bc8870b86bc38e58262 |
| SHA1 | 1c691bf030ecfce78a9476fbdef3afe61724e6a9 |
| SHA256 | bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538 |
| SHA512 | 6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9 |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | bf71ad71f14e072d4a68ff9d42816311 |
| SHA1 | 796b9ab4fe9acea085c44fe1daf6c82f00ccad4c |
| SHA256 | f5757bcef5340b44bca3704cedf4ce6315777930001e89f7135b3f4385990a88 |
| SHA512 | da7aaa815858a10d9746cace1c51d1a0bbf51bd3c7b1218e6c64206bf8163e47c480b90fbe9c734da69090119b99d29a5f29eeb8ee8ca67dc1a1e782e8aa4619 |
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt
| MD5 | afa18cf4aa2660392111763fb93a8c3d |
| SHA1 | c219a3654a5f41ce535a09f2a188a464c3f5baf5 |
| SHA256 | 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0 |
| SHA512 | 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 0f5c2e1fdbdadf87e9d79ea095855415 |
| SHA1 | 38cf1b8a0a7799594ddfc605566e855fbabefe40 |
| SHA256 | d898dc4e22a22a011272b00639d4e0e8659722d6e4a8ca8d2f99ccf6ec696ea2 |
| SHA512 | 62a7a8ecf5a66cf8dabb9be8e6755f5ec7e1f3cad272d319053498a80f4eaa02a902d8bf15bf219764047a7126ef2aec18dc94ff94d23733f666df8d8ab981fd |
C:\Users\Admin\AppData\Local\Temp\c.wry
| MD5 | 1d4492453d3798c0f0bbd5ce5e483129 |
| SHA1 | f70694de2d199dbdaafa460842e29f032b6d8f9b |
| SHA256 | 923f8767aebed4b331e4c8c9c052642088722ba540a69570c920b60b52e7d90b |
| SHA512 | e8b39257a67e7d95f754d1817a58fc4d2db4ef03be7054b20a193fe4c9eace0b150bea1efe235b0deef492087ceab543d8c44815ac62d7b203293e9d202cda41 |
C:\Users\Admin\AppData\Local\Temp\m.wry
| MD5 | 980b08bac152aff3f9b0136b616affa5 |
| SHA1 | 2a9c9601ea038f790cc29379c79407356a3d25a3 |
| SHA256 | 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9 |
| SHA512 | 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496 |
C:\Users\Admin\AppData\Local\Temp\00000000.res
| MD5 | 1adae04ebe479ab3889fe6cefe82552b |
| SHA1 | 4b8a59119107740dd7d78e0f3584f6e0fd55f884 |
| SHA256 | 60fcc91f64f9e204fc3444620c92495642989b31e309f95e158b16a4e0480dcd |
| SHA512 | ebc08b67f2c2202d68ba220397a3731326387704f674d8e2bbe98147e6f33fe36b12516ab85e3fe4455dc3f38cc14c87283eeb8b6426ae322771be1ab74ebd55 |