CryptoWire Claims to be WanaCry4 | VMRay Analyzer Report

Analysis Information

Creation Time	2017-08-08 17:01 (UTC+2)
VM Analysis Duration Time	00:05:19
Execution Successful
Sample Filename	wanacry6.malware.exe
Command Line Parameters
Prescript
Number of Processes	79
Termination Reason	Timeout
Download	Archive Function Logfile Generic Logfile PCAP STIX/CybOX XML Summary JSON

VTI Information

VTI Score 100 / 100
VTI Database Version	2.6
VTI Rule Match Count	19
VTI Rule Type	Default (PE, ...)

Tags

The tags feature is only available in the fully licensed version of VMRay Analyzer.

Remarks

	Privileged kernel code was executed during the analysis. Refer to the kernel analysis section on the left for further details.
	The operating system was rebooted during the analysis.

Screenshots

Monitored Processes

ID	PID	Monitor Reason	Integrity Level	Image Name	Command Line	Origin ID
#1	0xaa0	Analysis Target	High (Elevated)	wanacry6.malware.exe	"C:\Users\5JgHKoaOfdp\Desktop\wanacry6.malware.exe"
#2	0xb74	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#1
#4	0xbc8	Child Process	High (Elevated)	schtasks.exe	schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#2
#5	0x330	Created Scheduled Job	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k netsvcs	#4
#6	0x664	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /C title 4180649\|vssadmin.exe Delete Shadows /All /Quiet	#1
#7	0x9a8	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /C title 9538298\|bcdedit /set {default} recoveryenabled No	#1
#8	0x5f4	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /C title 8997147\|bcdedit /set {default} bootstatuspolicy ignoreallfailures	#1
#13	0x78c	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /S /D /c" title 9538298"	#7
#14	0x874	Child Process	High (Elevated)	bcdedit.exe	bcdedit /set {default} recoveryenabled No	#7
#15	0x8fc	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /S /D /c" title 4180649"	#6
#16	0x908	Child Process	High (Elevated)	vssadmin.exe	vssadmin.exe Delete Shadows /All /Quiet	#6
#17	0x8a0	Child Process	High (Elevated)	cmd.exe	C:\Windows\system32\cmd.exe /S /D /c" title 8997147"	#8
#18	0x938	Child Process	High (Elevated)	bcdedit.exe	bcdedit /set {default} bootstatuspolicy ignoreallfailures	#8
#19	0x880	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#1
#22	0x87c	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#19
#23	0x9c0	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#22
#24	0xa3c	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#23
#25	0xae0	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#24
#26	0xa5c	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#25
#27	0xa88	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#26
#28	0x968	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#27
#29	0x338	Child Process	High (Elevated)	wanacr~1.exe	C:\Users\5JGHKO~1\Desktop\WANACR~1.EXE	#28
#30	0x4	Kernel Analysis	System (Elevated)	System
#31	0xec	Child Process	System (Elevated)	smss.exe	\SystemRoot\System32\smss.exe	#30
#32	0xfc	Child Process	System (Elevated)	autochk.exe	\??\C:\Windows\system32\autochk.exe *	#31
#33	0x130	Child Process	System (Elevated)	smss.exe	\SystemRoot\System32\smss.exe 00000000 00000050	#31
#34	0x140	Child Process	System (Elevated)	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16	#33
#35	0x17c	Child Process	System (Elevated)	smss.exe	\SystemRoot\System32\smss.exe 00000001 00000050	#31
#36	0x184	Child Process	System (Elevated)	wininit.exe	wininit.exe	#33
#37	0x18c	Child Process	System (Elevated)	csrss.exe	%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16	#35
#38	0x1a8	Child Process	System (Elevated)	winlogon.exe	winlogon.exe	#35
#39	0x1cc	Child Process	System (Elevated)	services.exe	C:\Windows\system32\services.exe	#36
#40	0x1d4	Child Process	System (Elevated)	lsass.exe	C:\Windows\system32\lsass.exe	#36
#41	0x228	Child Process	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k DcomLaunch	#39
#42	0x244	Child Process	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k RPCSS	#39
#43	0x294	Child Process	System (Elevated)	dwm.exe	"dwm.exe"	#38
#44	0x29c	Child Process	System (Elevated)	logonui.exe	"LogonUI.exe" /flags:0x0	#38
#45	0x304	Child Process	System (Elevated)	svchost.exe	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted	#39
#46	0x320	Child Process	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k netsvcs	#39
#47	0x350	Child Process	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k LocalService	#39
#48	0x378	Child Process	System (Elevated)	svchost.exe	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted	#39
#49	0xe0	Child Process	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k NetworkService	#39
#50	0x118	Child Process	System (Elevated)	dllhost.exe	C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}	#41
#51	0x3dc	Child Process	System (Elevated)	spoolsv.exe	C:\Windows\System32\spoolsv.exe	#39
#52	0x3f8	Child Process	Medium	userinit.exe	C:\Windows\system32\userinit.exe	#38
#53	0x234	Child Process	System (Elevated)	taskhost.exe	taskhost.exe	#46
#54	0x418	Child Process	Medium	explorer.exe	C:\Windows\Explorer.EXE	#52
#55	0x420	Child Process	Medium	taskhostex.exe	taskhostex.exe	#46
#56	0x438	Child Process	Medium	taskhost.exe	taskhost.exe USER	#46
#57	0x440	Child Process	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork	#39
#58	0x450	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#46
#59	0x45c	Child Process	Medium	msoia.exe	"C:\Program Files\Microsoft Office\Office15\msoia.exe" scan upload	#46
#60	0x4c0	Child Process	System (Elevated)	taskhost.exe	taskhost.exe TpmTasks	#46
#61	0x598	Child Process	Medium	dllhost.exe	C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}	#41
#62	0x600	Child Process	Medium	thumbnailextractionhost.exe	C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding	#41
#63	0x630	Child Process	System (Elevated)	armsvc.exe	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"	#39
#64	0x6a8	Child Process	Medium	dllhost.exe	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}	#41
#65	0x7b4	Child Process	System (Elevated)	svchost.exe	C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation	#39
#66	0x3b4	Child Process	Medium	taskhost.exe	taskhost.exe	#46
#67	0x714	Child Process	Medium	mobsync.exe	C:\Windows\System32\mobsync.exe -Embedding	#41
#68	0x8b8	Child Process	System (Elevated)	audiodg.exe	C:\Windows\system32\AUDIODG.EXE 0x7d8	#45
#69	0x8ec	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#58
#70	0x910	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#69
#71	0x934	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#70
#72	0x958	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#71
#73	0x980	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#72
#74	0x9a4	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#73
#75	0x9c8	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#74
#76	0x9d8	Child Process	Medium	thumbnailextractionhost.exe	C:\Windows\System32\ThumbnailExtractionHost.exe -Embedding	#41
#77	0xa08	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#75
#78	0xa40	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#77
#79	0xa64	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#78
#80	0xa88	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#79
#81	0xaac	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#80
#82	0xad0	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#81
#83	0xaf4	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#82
#84	0xb18	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#83
#85	0xb3c	Child Process	High (Elevated)	wanacr~1.exe	C:\PROGRA~1\COMMON~1\WANACR~1.EXE	#84
#86	0x880	Child Process	System (Elevated)	sppsvc.exe	C:\Windows\system32\sppsvc.exe	#39

Sample Information

ID	#17425
MD5 Hash Value	d78bfdd6242361aa09a0e730ae9dc49a
SHA1 Hash Value	5e301e5ee7ce8840bf9003df1f3d5cf3679f5753
SHA256 Hash Value	bc885443e29b027d5f307e2f3d36e70ba650d608604aeeea7e748c6dc948a8a6
Filename	wanacry6.malware.exe
File Size	1.00 MB (1050112 bytes)
File Type	Windows Exe (x86-64)

Analyzer and Virtual Machine Information

Analyzer Version	2.1.0
Analyzer Build Date	2017-08-08 10:23
Internet Explorer Version	11.0.9600.16384
Chrome Version	58.0.3029.110
Firefox Version	25.0
Flash Version	11.2.202.228
Java Version	7.0.510
VM Name	win8.1_64
VM Architecture	x86 64-bit
VM OS	Windows 8.1
VM Kernel Version	6.3.9600.16404 (fd3d00d2-8edc-4527-bb92-2bcc0509d285)