Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-12-2024 03:23
Behavioral task
behavioral1
Sample
2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe
Resource
win7-20240729-en
windows7-x64
22 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe
-
Size
362KB
-
MD5
603e48a98dad157d9f8661097ac9bd4e
-
SHA1
5680b89b1ff990bd32067bf2d84bb792d1614fa6
-
SHA256
b6b9fa58bf57ceab4809ad2fc5983686567df05b92413aa8183a979b75f30016
-
SHA512
43db5e997f260e66865195e08379dc9a6a83439cbff497f71f03255dde8ff2620b7852eeb592c1cb82d9a09934af9c0e802de879ae4476fe73a32ef324bb5354
-
SSDEEP
6144:X4Zq9lVYxyj9aqEaEPs8PqAftRe2CT1R4qV3hAB52:X4gVYxuTEa8PqAfTPEqqV3yB52
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral1/memory/2216-1-0x0000000000C00000-0x0000000000C60000-memory.dmp family_chaos behavioral1/files/0x00090000000122cf-8.dat family_chaos behavioral1/memory/2672-9-0x00000000002A0000-0x0000000000300000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2036 bcdedit.exe 2212 bcdedit.exe -
pid Process 2904 wbadmin.exe -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini tools.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt tools.exe -
Executes dropped EXE 1 IoCs
pid Process 2672 tools.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\tools.exe" tools.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini tools.exe File opened for modification C:\Users\Admin\Music\desktop.ini tools.exe File opened for modification C:\Users\Public\Music\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RTJA0BV0\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\386UAANV\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini tools.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini tools.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini tools.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini tools.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini tools.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3K0NZPWJ\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini tools.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini tools.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2703099537-420551529-3771253338-1000\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B329PW0O\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini tools.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini tools.exe File opened for modification C:\Users\Public\Downloads\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini tools.exe File opened for modification C:\Users\Public\Desktop\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini tools.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini tools.exe File opened for modification C:\Users\Admin\Videos\desktop.ini tools.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini tools.exe File opened for modification C:\Users\Public\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini tools.exe File opened for modification C:\Users\Public\Documents\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JMFEWY8E\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini tools.exe File opened for modification C:\Users\Public\Libraries\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini tools.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FXDUII3O\desktop.ini tools.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini tools.exe File opened for modification C:\Users\Admin\Searches\desktop.ini tools.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CBCNU6WZ\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini tools.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini tools.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini tools.exe File opened for modification C:\Users\Admin\Documents\desktop.ini tools.exe File opened for modification C:\Users\Public\Videos\desktop.ini tools.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini tools.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\25UY7HZX\desktop.ini tools.exe File opened for modification C:\Users\Public\Pictures\desktop.ini tools.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8b2hlet89.jpg" tools.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1676 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 2928 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2216 2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe 2672 tools.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2216 2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe 2216 2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe 2216 2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe 2672 tools.exe 2672 tools.exe 2672 tools.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeDebugPrivilege 2216 2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe Token: SeDebugPrivilege 2672 tools.exe Token: SeBackupPrivilege 2548 vssvc.exe Token: SeRestorePrivilege 2548 vssvc.exe Token: SeAuditPrivilege 2548 vssvc.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe Token: SeSecurityPrivilege 1716 WMIC.exe Token: SeTakeOwnershipPrivilege 1716 WMIC.exe Token: SeLoadDriverPrivilege 1716 WMIC.exe Token: SeSystemProfilePrivilege 1716 WMIC.exe Token: SeSystemtimePrivilege 1716 WMIC.exe Token: SeProfSingleProcessPrivilege 1716 WMIC.exe Token: SeIncBasePriorityPrivilege 1716 WMIC.exe Token: SeCreatePagefilePrivilege 1716 WMIC.exe Token: SeBackupPrivilege 1716 WMIC.exe Token: SeRestorePrivilege 1716 WMIC.exe Token: SeShutdownPrivilege 1716 WMIC.exe Token: SeDebugPrivilege 1716 WMIC.exe Token: SeSystemEnvironmentPrivilege 1716 WMIC.exe Token: SeRemoteShutdownPrivilege 1716 WMIC.exe Token: SeUndockPrivilege 1716 WMIC.exe Token: SeManageVolumePrivilege 1716 WMIC.exe Token: 33 1716 WMIC.exe Token: 34 1716 WMIC.exe Token: 35 1716 WMIC.exe Token: SeIncreaseQuotaPrivilege 1716 WMIC.exe Token: SeSecurityPrivilege 1716 WMIC.exe Token: SeTakeOwnershipPrivilege 1716 WMIC.exe Token: SeLoadDriverPrivilege 1716 WMIC.exe Token: SeSystemProfilePrivilege 1716 WMIC.exe Token: SeSystemtimePrivilege 1716 WMIC.exe Token: SeProfSingleProcessPrivilege 1716 WMIC.exe Token: SeIncBasePriorityPrivilege 1716 WMIC.exe Token: SeCreatePagefilePrivilege 1716 WMIC.exe Token: SeBackupPrivilege 1716 WMIC.exe Token: SeRestorePrivilege 1716 WMIC.exe Token: SeShutdownPrivilege 1716 WMIC.exe Token: SeDebugPrivilege 1716 WMIC.exe Token: SeSystemEnvironmentPrivilege 1716 WMIC.exe Token: SeRemoteShutdownPrivilege 1716 WMIC.exe Token: SeUndockPrivilege 1716 WMIC.exe Token: SeManageVolumePrivilege 1716 WMIC.exe Token: 33 1716 WMIC.exe Token: 34 1716 WMIC.exe Token: 35 1716 WMIC.exe Token: SeBackupPrivilege 1068 wbengine.exe Token: SeRestorePrivilege 1068 wbengine.exe Token: SeSecurityPrivilege 1068 wbengine.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2672 2216 2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe 30 PID 2216 wrote to memory of 2672 2216 2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe 30 PID 2216 wrote to memory of 2672 2216 2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe 30 PID 2672 wrote to memory of 2908 2672 tools.exe 31 PID 2672 wrote to memory of 2908 2672 tools.exe 31 PID 2672 wrote to memory of 2908 2672 tools.exe 31 PID 2908 wrote to memory of 1676 2908 cmd.exe 33 PID 2908 wrote to memory of 1676 2908 cmd.exe 33 PID 2908 wrote to memory of 1676 2908 cmd.exe 33 PID 2908 wrote to memory of 1716 2908 cmd.exe 36 PID 2908 wrote to memory of 1716 2908 cmd.exe 36 PID 2908 wrote to memory of 1716 2908 cmd.exe 36 PID 2672 wrote to memory of 2100 2672 tools.exe 38 PID 2672 wrote to memory of 2100 2672 tools.exe 38 PID 2672 wrote to memory of 2100 2672 tools.exe 38 PID 2100 wrote to memory of 2036 2100 cmd.exe 40 PID 2100 wrote to memory of 2036 2100 cmd.exe 40 PID 2100 wrote to memory of 2036 2100 cmd.exe 40 PID 2100 wrote to memory of 2212 2100 cmd.exe 41 PID 2100 wrote to memory of 2212 2100 cmd.exe 41 PID 2100 wrote to memory of 2212 2100 cmd.exe 41 PID 2672 wrote to memory of 2624 2672 tools.exe 42 PID 2672 wrote to memory of 2624 2672 tools.exe 42 PID 2672 wrote to memory of 2624 2672 tools.exe 42 PID 2624 wrote to memory of 2904 2624 cmd.exe 44 PID 2624 wrote to memory of 2904 2624 cmd.exe 44 PID 2624 wrote to memory of 2904 2624 cmd.exe 44 PID 2672 wrote to memory of 2928 2672 tools.exe 49 PID 2672 wrote to memory of 2928 2672 tools.exe 49 PID 2672 wrote to memory of 2928 2672 tools.exe 49 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-15_603e48a98dad157d9f8661097ac9bd4e_wannacry.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\AppData\Roaming\tools.exe"C:\Users\Admin\AppData\Roaming\tools.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1676
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2036
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:2212
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2904
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:2928
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2548
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2884
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2344
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
309B
MD5cbac682dec9d9089cc260e3d70ec3c32
SHA16af5fa212bbf3151803a5760960da980159fa897
SHA25645dac0116844b1f78a941d315ca62cfe4522bf769f7ebb21597c0c007261f17b
SHA512daf5b712a25b4a77a4bf79a4813f5c0587c2ceee59cd91083713c72792b9ad9124840735d9bd1579102eef0b8b4d1e4a89c0f6850b801edf3e83e74cc5aaf806
-
Filesize
362KB
MD5603e48a98dad157d9f8661097ac9bd4e
SHA15680b89b1ff990bd32067bf2d84bb792d1614fa6
SHA256b6b9fa58bf57ceab4809ad2fc5983686567df05b92413aa8183a979b75f30016
SHA51243db5e997f260e66865195e08379dc9a6a83439cbff497f71f03255dde8ff2620b7852eeb592c1cb82d9a09934af9c0e802de879ae4476fe73a32ef324bb5354
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0