WannaCry Ransomware | VMRay Analyzer Report

Analysis Information

Creation Time	2017-05-15 16:53 (UTC+2)
VM Analysis Duration Time	00:05:04
Execution Successful
Sample Filename	WanaDecrypt0r.bin.exe
Command Line Parameters
Prescript
Number of Processes	83
Termination Reason	Maximum binlog size reached
Download	Archive Function Logfile Generic Logfile PCAP STIX/CybOX

VTI Information

VTI Score 100 / 100
VTI Database Version	2.5
VTI Rule Match Count	9957
VTI Rule Type	Default (PE, ...)

Tags

The tags feature is only available in the fully licensed version of VMRay Analyzer.

Remarks

	The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration.
	The overall sleep time of all monitored processes was truncated from 18 minutes, 59 seconds to 6 minutes, 19 seconds to reveal dormant functionality.

Screenshots

Monitored Processes

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0x924	Analysis Target	High (Elevated)	wanadecrypt0r.bin.exe	"C:\Users\DSsDPMx042\Desktop\WanaDecrypt0r.bin.exe"
#2	0x3f4	RPC Server	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k LocalService	#1
#4	0x4	Created Daemon	System (Elevated)	System		#1
#5	0x984	Created Daemon	System (Elevated)	wanadecrypt0r.bin.exe	C:\Users\DSsDPMx042\Desktop\WanaDecrypt0r.bin.exe -m security	#1
#6	0x9b8	Child Process	High (Elevated)	tasksche.exe	C:\WINDOWS\tasksche.exe /i	#1
#7	0x9ec	Created Daemon	System (Elevated)	cmd.exe	cmd.exe /c "C:\ProgramData\qxtqusdnjzrizx418\tasksche.exe"	#6
#8	0xa00	Child Process	System (Elevated)	tasksche.exe	C:\ProgramData\qxtqusdnjzrizx418\tasksche.exe	#7
#9	0xa5c	Child Process	System (Elevated)	attrib.exe	attrib +h .	#8
#10	0xa64	Child Process	System (Elevated)	icacls.exe	icacls . /grant Everyone:F /T /C /Q	#8
#11	0xb94	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#12	0xbb4	Child Process	System (Elevated)	cmd.exe	cmd /c 29121494860050.bat	#8
#13	0xbec	Child Process	System (Elevated)	cscript.exe	cscript.exe //nologo m.vbs	#12
#14	0xdbc	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#15	0xf74	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#16	0xfb8	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#17	0x864	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#18	0x840	Child Process	System (Elevated)	cmd.exe	cmd.exe /c start /b @WanaDecryptor@.exe vs	#8
#19	0x854	Child Process	System (Elevated)	@wanadecryptor@.exe	@WanaDecryptor@.exe co	#8
#20	0x810	Child Process	System (Elevated)	@wanadecryptor@.exe	@WanaDecryptor@.exe vs	#18
#21	0x784	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#22	0x128	Child Process	System (Elevated)	cmd.exe	cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qxtqusdnjzrizx418" /t REG_SZ /d "\"C:\ProgramData\qxtqusdnjzrizx418\tasksche.exe\"" /f	#8
#23	0x430	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#24	0x878	Child Process	System (Elevated)	reg.exe	reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qxtqusdnjzrizx418" /t REG_SZ /d "\"C:\ProgramData\qxtqusdnjzrizx418\tasksche.exe\"" /f	#22
#25	0x31c	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#21
#26	0x814	Child Process	System (Elevated)	taskhsvc.exe	TaskData\Tor\taskhsvc.exe	#19
#27	0x36c	Child Process	System (Elevated)	cmd.exe	cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet	#20
#28	0x8fc	Child Process	System (Elevated)	vssadmin.exe	vssadmin delete shadows /all /quiet	#27
#29	0x150	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#30	0x880	RPC Server	System (Elevated)	vssvc.exe	C:\Windows\system32\vssvc.exe	#28
#31	0x92c	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#32	0x8cc	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#31
#33	0x8c	RPC Server	System (Elevated)	svchost.exe	C:\Windows\System32\svchost.exe -k swprv	#30
#34	0x704	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#35	0x258	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#36	0x9c0	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#34
#37	0xa40	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#38	0xa5c	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#39	0xa68	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#37
#40	0xab4	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#41	0xac8	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#40
#42	0xb1c	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#43	0xb2c	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#42
#44	0xb34	Child Process	System (Elevated)	wmic.exe	wmic shadowcopy delete	#27
#45	0xb4c	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#46	0x364	RPC Server	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k netsvcs	#44
#47	0xbc4	RPC Server	System (Elevated)	wmiprvse.exe	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding	#46
#48	0xbb0	Child Process	System (Elevated)	bcdedit.exe	bcdedit /set {default} bootstatuspolicy ignoreallfailures	#27
#49	0xb94	Child Process	System (Elevated)	bcdedit.exe	bcdedit /set {default} recoveryenabled no	#27
#50	0xbd4	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#51	0xbe0	Child Process	System (Elevated)	wbadmin.exe	wbadmin delete catalog -quiet	#27
#52	0xbe8	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#50
#53	0xc2c	RPC Server	System (Elevated)	wbengine.exe	"C:\Windows\system32\wbengine.exe"	#51
#54	0xc6c	RPC Server	System (Elevated)	vdsldr.exe	C:\Windows\System32\vdsldr.exe -Embedding	#53
#55	0xd0c	RPC Server	System (Elevated)	vds.exe	C:\Windows\System32\vds.exe	#54
#56	0xc78	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#57	0xd58	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#58	0xd68	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#57
#59	0xd78	RPC Server	System (Elevated)	wmiprvse.exe	C:\Windows\system32\wbem\wmiprvse.exe -Embedding	#46
#60	0xda4	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#61	0xdd8	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#62	0xe24	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#63	0xdbc	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#64	0xe40	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#63
#65	0x57c	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#61
#66	0xea0	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#67	0xec0	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#68	0x2c0	RPC Server	System (Elevated)	svchost.exe	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted	#46
#69	0xef4	Child Process	System (Elevated)	wmiadap.exe	wmiadap.exe /F /T /R	#46
#70	0xf14	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#66
#71	0xf20	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#72	0xf54	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#71
#73	0xf80	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#74	0xf88	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#75	0x664	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#74
#76	0x180	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#77	0xc20	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#78	0x7a0	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#76
#79	0xff0	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#80	0x498	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8
#81	0x474	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#79
#82	0x728	Child Process	System (Elevated)	taskse.exe	taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe	#8
#83	0x6dc	Child Process	Medium	@wanadecryptor@.exe	"C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe"	#82
#84	0x430	Child Process	System (Elevated)	taskdl.exe	taskdl.exe	#8

Sample Information

ID	#1853086
MD5 Hash Value	db349b97c37d22f5ea1d1841e3c89eb4
SHA1 Hash Value	e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA256 Hash Value	24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Filename	WanaDecrypt0r.bin.exe
File Size	3.55 MB (3723264 bytes)
File Type	Windows Exe (x86-32)

Analyzer and Virtual Machine Information

Analyzer Version	2.1.0
Analyzer Build Date	2017-05-15 15:58 (UTC+2)
Internet Explorer Version	8.0.7601.17514
Firefox Version	39.0
Java Version	8.0.1110.14
VM Name	win7_32_sp1
VM Architecture	x86 32-bit PAE
VM OS	Windows 7
VM Kernel Version	6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1)