ScreenShot
| Created | 2023.06.19 16:24 | Machine | s1_win7_x6401 |
| Filename | WannaCry.exe | ||
| Type | PE32 executable (GUI) Intel 80386, for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : malware | ||
| VT API (file) | 67 detected (WannaCrypLTQ, Wanna, toNn, WannaCryptor, WannaCrypt, unsafe, WannaCry, ali1020010, malicious, ZexaF, wt0@aGEmS3di, ZTSA, high confidence, Filecoder, score, Ransomware, eoptnj, WanaCry, WANA, RansomWannaCry, high, Scatter, se54409, B@719b9h, Detected, R200571, ai score=100, WanaCrypt, CLASSIC, Igent, bUj9pX, Static AI, Suspicious PE, confidence, 100%) | ||
| md5 | 84c82835a5d21bbcf75a61706d8ab549 | ||
| sha256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa | ||
| ssdeep | 98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB | ||
| imphash | 68f013d7437aa653a8a98a05807afeb1 | ||
| impfuzzy | 48:M+kfBluPYSg/ettru7SioN7y0CuUq4jVFqWjValBXQGrTXj:M+kfBIPYSK6u+ioN7RlUq4jVFqWjValP | ||
Network IP location
Signature (47cnts)
| Level | Description |
|---|---|
| danger | Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) |
| danger | Appends a new file extension or content to 3057 files indicative of a ransomware file encryption process |
| danger | File has been identified by 67 AntiVirus engines on VirusTotal as malicious |
| danger | Performs 3057 file moves indicative of a ransomware file encryption process |
| danger | Drops 736 unknown file mime types indicative of ransomware writing encrypted files back to disk |
| watch | Appends a known WannaCry ransomware file extension to files that have been encrypted |
| watch | Attempts to identify installed AV products by installation directory |
| watch | Communicates with host for which no DNS query was performed |
| watch | Deletes a large number of files from the system indicative of ransomware |
| watch | Installs itself for autorun at Windows startup |
| watch | Installs Tor on the machine |
| watch | Modifies boot configuration settings |
| watch | Removes the Shadow Copy to avoid recovery of the system |
| watch | Resumed a suspended thread in a remote process potentially indicative of process injection |
| watch | Uses suspicious command line tools or Windows utilities |
| watch | Writes a potential ransom message to disk |
| notice | A process attempted to delay the analysis task. |
| notice | A process created a hidden window |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) |
| notice | Checks adapter addresses which can be used to detect virtual network interfaces |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Checks whether any human activity is being performed by constantly checking whether the foreground window changed |
| notice | Creates (office) documents on the filesystem |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Creates executable files on the filesystem |
| notice | Creates hidden or system file |
| notice | Drops an executable to the user AppData folder |
| notice | Executes one or more WMI queries |
| notice | One or more potentially interesting buffers were extracted |
| notice | Potentially malicious URLs were found in the process memory dump |
| notice | Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| notice | Starts servers listening |
| notice | Steals private information from local Internet browsers |
| notice | The binary likely contains encrypted or compressed data indicative of a packer |
| notice | Uses Windows utilities for basic Windows functionality |
| notice | Yara rule detected in process memory |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Command line console output was observed |
| info | One or more processes crashed |
| info | Queries for the computername |
| info | The executable uses a known packer |
| info | The file contains an unknown PE resource name possibly indicative of a packer |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (58cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| warning | Suspicious_Obfuscation_Script_2 | Suspicious obfuscation script (e.g. executable files) | binaries (download) |
| watch | Admin_Tool_IN_Zero | Admin Tool Sysinternals | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (download) |
| watch | Malicious_Library_Zero | Malicious_Library | binaries (upload) |
| watch | Network_Downloader | File Downloader | binaries (download) |
| watch | Network_Downloader | File Downloader | memory |
| watch | UPX_Zero | UPX packed file | binaries (download) |
| watch | UPX_Zero | UPX packed file | binaries (upload) |
| notice | anti_vm_detect | Possibly employs anti-virtualization techniques | binaries (download) |
| notice | BitCoin | Perform crypto currency mining | memory |
| notice | Code_injection | Code injection with CreateRemoteThread in a remote process | memory |
| notice | Create_Service | Create a windows service | memory |
| notice | Escalate_priviledges | Escalate priviledges | memory |
| notice | Generic_PWS_Memory_Zero | PWS Memory | memory |
| notice | Hijack_Network | Hijack network configuration | memory |
| notice | KeyLogger | Run a KeyLogger | memory |
| notice | local_credential_Steal | Steal credential | memory |
| notice | Network_DGA | Communication using DGA | memory |
| notice | Network_DNS | Communications use DNS | memory |
| notice | Network_FTP | Communications over FTP | memory |
| notice | Network_HTTP | Communications over HTTP | memory |
| notice | Network_P2P_Win | Communications over P2P network | memory |
| notice | Network_TCP_Socket | Communications over RAW Socket | memory |
| notice | Persistence | Install itself for autorun at Windows startup | memory |
| notice | ScreenShot | Take ScreenShot | memory |
| notice | Sniff_Audio | Record Audio | memory |
| notice | Str_Win32_Http_API | Match Windows Http API call | memory |
| notice | Str_Win32_Internet_API | Match Windows Inet API call | memory |
| info | anti_dbg | Checks if being debugged | memory |
| info | antisb_threatExpert | Anti-Sandbox checks for ThreatExpert | memory |
| info | bmp_file_format | bmp file format | binaries (download) |
| info | CAB_file_format | CAB archive file | binaries (download) |
| info | Check_Dlls | (no description) | memory |
| info | DebuggerCheck__GlobalFlags | (no description) | memory |
| info | DebuggerCheck__QueryInfo | (no description) | memory |
| info | DebuggerCheck__RemoteAPI | (no description) | memory |
| info | DebuggerException__ConsoleCtrl | (no description) | memory |
| info | DebuggerException__SetConsoleCtrl | (no description) | memory |
| info | DebuggerHiding__Active | (no description) | memory |
| info | DebuggerHiding__Thread | (no description) | memory |
| info | disable_dep | Bypass DEP | memory |
| info | docx | Word 2007 file format detection | binaries (download) |
| info | IsDLL | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (download) |
| info | IsPE32 | (no description) | binaries (upload) |
| info | JPEG_Format_Zero | JPEG Format | binaries (download) |
| info | Lnk_Format_Zero | LNK Format | binaries (download) |
| info | OS_Processor_Check_Zero | OS Processor Check | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (download) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PNG_Format_Zero | PNG Format | binaries (download) |
| info | SEH__vectored | (no description) | memory |
| info | ThreadControl__Context | (no description) | memory |
| info | Virtual_currency_Zero | Virtual currency | memory |
| info | win_hook | Affect hook table | memory |
| info | zip_file_format | ZIP file format | binaries (download) |
Network (5cnts) ?
Suricata ids
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 344
ET JA3 Hash - Possible Malware - Malspam
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 796
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271
ET JA3 Hash - Possible Malware - Malspam
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 796
ET POLICY TLS possible TOR SSL traffic
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 271
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x40802c GetFileAttributesW
0x408030 GetFileSizeEx
0x408034 CreateFileA
0x408038 InitializeCriticalSection
0x40803c DeleteCriticalSection
0x408040 ReadFile
0x408044 GetFileSize
0x408048 WriteFile
0x40804c LeaveCriticalSection
0x408050 EnterCriticalSection
0x408054 SetFileAttributesW
0x408058 SetCurrentDirectoryW
0x40805c CreateDirectoryW
0x408060 GetTempPathW
0x408064 GetWindowsDirectoryW
0x408068 GetFileAttributesA
0x40806c SizeofResource
0x408070 LockResource
0x408074 LoadResource
0x408078 MultiByteToWideChar
0x40807c Sleep
0x408080 OpenMutexA
0x408084 GetFullPathNameA
0x408088 CopyFileA
0x40808c GetModuleFileNameA
0x408090 VirtualAlloc
0x408094 VirtualFree
0x408098 FreeLibrary
0x40809c HeapAlloc
0x4080a0 GetProcessHeap
0x4080a4 GetModuleHandleA
0x4080a8 SetLastError
0x4080ac VirtualProtect
0x4080b0 IsBadReadPtr
0x4080b4 HeapFree
0x4080b8 SystemTimeToFileTime
0x4080bc LocalFileTimeToFileTime
0x4080c0 CreateDirectoryA
0x4080c4 GetStartupInfoA
0x4080c8 SetFilePointer
0x4080cc SetFileTime
0x4080d0 GetComputerNameW
0x4080d4 GetCurrentDirectoryA
0x4080d8 SetCurrentDirectoryA
0x4080dc GlobalAlloc
0x4080e0 LoadLibraryA
0x4080e4 GetProcAddress
0x4080e8 GlobalFree
0x4080ec CreateProcessA
0x4080f0 CloseHandle
0x4080f4 WaitForSingleObject
0x4080f8 TerminateProcess
0x4080fc GetExitCodeProcess
0x408100 FindResourceA
USER32.dll
0x4081d0 wsprintfA
ADVAPI32.dll
0x408000 CreateServiceA
0x408004 OpenServiceA
0x408008 StartServiceA
0x40800c CloseServiceHandle
0x408010 CryptReleaseContext
0x408014 RegCreateKeyW
0x408018 RegSetValueExA
0x40801c RegQueryValueExA
0x408020 RegCloseKey
0x408024 OpenSCManagerA
MSVCRT.dll
0x408108 realloc
0x40810c fclose
0x408110 fwrite
0x408114 fread
0x408118 fopen
0x40811c sprintf
0x408120 rand
0x408124 srand
0x408128 strcpy
0x40812c memset
0x408130 strlen
0x408134 wcscat
0x408138 wcslen
0x40813c __CxxFrameHandler
0x408140 ??3@YAXPAX@Z
0x408144 memcmp
0x408148 _except_handler3
0x40814c _local_unwind2
0x408150 wcsrchr
0x408154 swprintf
0x408158 ??2@YAPAXI@Z
0x40815c memcpy
0x408160 strcmp
0x408164 strrchr
0x408168 __p___argv
0x40816c __p___argc
0x408170 _stricmp
0x408174 free
0x408178 malloc
0x40817c ??0exception@@QAE@ABV0@@Z
0x408180 ??1exception@@UAE@XZ
0x408184 ??0exception@@QAE@ABQBD@Z
0x408188 _CxxThrowException
0x40818c calloc
0x408190 strcat
0x408194 _mbsstr
0x408198 ??1type_info@@UAE@XZ
0x40819c _exit
0x4081a0 _XcptFilter
0x4081a4 exit
0x4081a8 _acmdln
0x4081ac __getmainargs
0x4081b0 _initterm
0x4081b4 __setusermatherr
0x4081b8 _adjust_fdiv
0x4081bc __p__commode
0x4081c0 __p__fmode
0x4081c4 __set_app_type
0x4081c8 _controlfp
EAT(Export Address Table) is none
KERNEL32.dll
0x40802c GetFileAttributesW
0x408030 GetFileSizeEx
0x408034 CreateFileA
0x408038 InitializeCriticalSection
0x40803c DeleteCriticalSection
0x408040 ReadFile
0x408044 GetFileSize
0x408048 WriteFile
0x40804c LeaveCriticalSection
0x408050 EnterCriticalSection
0x408054 SetFileAttributesW
0x408058 SetCurrentDirectoryW
0x40805c CreateDirectoryW
0x408060 GetTempPathW
0x408064 GetWindowsDirectoryW
0x408068 GetFileAttributesA
0x40806c SizeofResource
0x408070 LockResource
0x408074 LoadResource
0x408078 MultiByteToWideChar
0x40807c Sleep
0x408080 OpenMutexA
0x408084 GetFullPathNameA
0x408088 CopyFileA
0x40808c GetModuleFileNameA
0x408090 VirtualAlloc
0x408094 VirtualFree
0x408098 FreeLibrary
0x40809c HeapAlloc
0x4080a0 GetProcessHeap
0x4080a4 GetModuleHandleA
0x4080a8 SetLastError
0x4080ac VirtualProtect
0x4080b0 IsBadReadPtr
0x4080b4 HeapFree
0x4080b8 SystemTimeToFileTime
0x4080bc LocalFileTimeToFileTime
0x4080c0 CreateDirectoryA
0x4080c4 GetStartupInfoA
0x4080c8 SetFilePointer
0x4080cc SetFileTime
0x4080d0 GetComputerNameW
0x4080d4 GetCurrentDirectoryA
0x4080d8 SetCurrentDirectoryA
0x4080dc GlobalAlloc
0x4080e0 LoadLibraryA
0x4080e4 GetProcAddress
0x4080e8 GlobalFree
0x4080ec CreateProcessA
0x4080f0 CloseHandle
0x4080f4 WaitForSingleObject
0x4080f8 TerminateProcess
0x4080fc GetExitCodeProcess
0x408100 FindResourceA
USER32.dll
0x4081d0 wsprintfA
ADVAPI32.dll
0x408000 CreateServiceA
0x408004 OpenServiceA
0x408008 StartServiceA
0x40800c CloseServiceHandle
0x408010 CryptReleaseContext
0x408014 RegCreateKeyW
0x408018 RegSetValueExA
0x40801c RegQueryValueExA
0x408020 RegCloseKey
0x408024 OpenSCManagerA
MSVCRT.dll
0x408108 realloc
0x40810c fclose
0x408110 fwrite
0x408114 fread
0x408118 fopen
0x40811c sprintf
0x408120 rand
0x408124 srand
0x408128 strcpy
0x40812c memset
0x408130 strlen
0x408134 wcscat
0x408138 wcslen
0x40813c __CxxFrameHandler
0x408140 ??3@YAXPAX@Z
0x408144 memcmp
0x408148 _except_handler3
0x40814c _local_unwind2
0x408150 wcsrchr
0x408154 swprintf
0x408158 ??2@YAPAXI@Z
0x40815c memcpy
0x408160 strcmp
0x408164 strrchr
0x408168 __p___argv
0x40816c __p___argc
0x408170 _stricmp
0x408174 free
0x408178 malloc
0x40817c ??0exception@@QAE@ABV0@@Z
0x408180 ??1exception@@UAE@XZ
0x408184 ??0exception@@QAE@ABQBD@Z
0x408188 _CxxThrowException
0x40818c calloc
0x408190 strcat
0x408194 _mbsstr
0x408198 ??1type_info@@UAE@XZ
0x40819c _exit
0x4081a0 _XcptFilter
0x4081a4 exit
0x4081a8 _acmdln
0x4081ac __getmainargs
0x4081b0 _initterm
0x4081b4 __setusermatherr
0x4081b8 _adjust_fdiv
0x4081bc __p__commode
0x4081c0 __p__fmode
0x4081c4 __set_app_type
0x4081c8 _controlfp
EAT(Export Address Table) is none