CryptoWire Claims to be WanaCry4 | VTI by Category
Try VMRay Analyzer
|
VTI Score
100 / 100
|
|
| VTI Database Version | 2.6 |
| VTI Rule Match Count | 19 |
| VTI Rule Type | Default (PE, ...) |
|
Anti Analysis |
|
|
|
Try to detect debugger
|
|
|
Check via API "IsDebuggerPresent".
|
||
|
|
Dynamic API usage
|
|
|
Resolve above average number of APIs.
|
||
|
|
Device |
|
|
|
Write master boot record (MBR)
|
|
|
Write 512 bytes to master boot record (MBR).
|
||
|
|
OS |
|
|
|
Disable system tool
|
|
|
Disable startup repair by executing "C:\Windows\system32\cmd.exe /C title 9538298|bcdedit /set {default} recoveryenabled No".
|
||
|
Disable startup repair by executing "C:\Windows\system32\cmd.exe /C title 8997147|bcdedit /set {default} bootstatuspolicy ignoreallfailures".
|
||
|
|
File System |
|
|
|
Encrypt content of user files
|
|
|
Encrypt the content of multiple user files. This is an indicator for ransomware.
|
||
|
|
Handle with malicious files
|
|
|
File "c:\progra~1\common~1\wanacry6.malware.exe" is a known malicious file.
|
||
|
|
Modify operating system directory
|
|
|
Modify "c:\windows\system32\spp\store\2.0\data.dat.tmp".
|
||
|
Modify "c:\windows\system32\spp\store\2.0\data.dat.bak".
|
||
|
Modify "c:\windows\system32\spp\store\2.0\data.dat".
|
||
|
|
Create many files
|
|
|
Create above average number of files.
|
||
|
|
Kernel |
|
|
|
Execute code with kernel privileges
|
|
|
Execute code with kernel privileges.
|
||
|
|
Network |
|
|
|
Download data
|
|
|
Url "blockchain.info/tobtc?currency=USD&value=1500".
|
||
|
|
Connect to HTTP server
|
|
|
Remote address "blockchain.info/tobtc?currency=USD&value=1500".
|
||
|
|
Persistence |
|
|
|
Install system service
|
|
|
Install service "3123635631" by using the sc.exe utility.
|
||
|
|
Process |
|
|
|
Create process with hidden window
|
|
|
The process "C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn 3123635631 /rl highest /tr C:\PROGRA~1\COMMON~1\WANACR~1.EXE" starts with hidden window.
|
||
|
The process "C:\Windows\system32\cmd.exe /C title 4180649|vssadmin.exe Delete Shadows /All /Quiet" starts with hidden window.
|
||
|
The process "C:\Windows\system32\cmd.exe /C title 9538298|bcdedit /set {default} recoveryenabled No" starts with hidden window.
|
||
|
The process "C:\Windows\system32\cmd.exe /C title 8997147|bcdedit /set {default} bootstatuspolicy ignoreallfailures" starts with hidden window.
|
||
| - | Browser | |
| - | Hide Tracks | |
| - | Information Stealing | |
| - | Injection | |
| - | Masquerade | |
| - | PE | |
| - | User | |
| - | VBA Macro | |
| - | YARA | |
