Dameon Welch-Abernathy, profile picture
Uploaded byDameon Welch-Abernathy
PDF, PPTX261 views

WannaCry emulation report

The document is a malware analysis report that details malicious activity detected on a system. It found that a 3.4MB executable file behaved like known malware and displayed ransomware-like behavior, encrypting over 30 files on the system and leaving encryption extensions. The malware made modifications to the registry and spawned multiple suspicious processes during its emulated execution.

Embed presentation

Download as PDF, PPTX
Malware Report Emulated On: Microsoft Windows XP 32 bit, SP3, Office 2003, Office 2007, Adobe Acrobat Reader 9.0, Adobe Flash Player 9, Java SE 1.6.0 1 1/16 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c… Malicious Activity Detected Type Size MD5 SHA1 exe 3.4 MB 84c82835a5d21bbcf75a61706d8ab549 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 Download malicious file 22 Files Created 25 Files Modified 4 Files Deleted 33 Affected Files 4 Processes Created 2 Processes Terminated 0 Processes Crashed 4 Affected Processes 13 Entries Set 0 Entries Deleted 13 Affected Registry Keys 4 Suspicious Activities C:WINDOWSsystem32attrib.exe C:WINDOWSsystem32cmd.exe C:WINDOWSsystem32cscript.exe C:te_filestaskdl.exe C:$LogFile C:Documents and SettingsadminDesktop@Please_Read_Me@.txt C:Documents and SettingsadminDesktop@WanaDecryptor@.exe C:Documents and SettingsadminDesktopa glimpse into the future.bm… more Behaves like a known malware ( Generic.MALWARE.1b25 ) Malware activity observed ( Trojan-Ransom.Win32.Wanna.b ) Malware detected ( Gen:Variant.Graftor.369176 ) Malware signature matched ( Trojan-ransom.Win32.Wcry.U.lzpjh ) HKCUSoftwareMicrosoftMultimediaAudio HKCUSoftwareMicrosoftMultimediaAudio Compression Manager HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 more
Malware Report Emulation Screen Shots 2 2/16
Malware Report Emulation Screen Shots 3 3/16
Malware Report Table of Contents 4 4/16 Malware Residues 5-9 Unexpected Activities By Time 10-16
Malware Report Malware Residues ( 1 out of 5 ) 5 5/16 Suspicious Activities Behaves like a known malware ( Generic.MALWARE.1b25 ) Malware activity observed ( Trojan-Ransom.Win32.Wanna.b ) Malware detected ( Gen:Variant.Graftor.369176 ) Malware signature matched ( Trojan-ransom.Win32.Wcry.U.lzpjh ) Processes Spawned or Interacted with C:WINDOWSsystem32attrib.exe (Terminated ,Started) C:WINDOWSsystem32cmd.exe (Started) C:WINDOWSsystem32cscript.exe (Started) C:te_filestaskdl.exe (Terminated ,Started) Files Changed C:$LogFile (Modified) C:Documents and SettingsadminDesktop@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktop@WanaDecryptor@.exe (Created ,Modified) C:Documents and SettingsadminDesktopa glimpse into the future.bmp (Modified) C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT (Created ,Modified)
Malware Report Malware Residues ( 2 out of 5 ) 6 6/16 Files Changed C:Documents and SettingsadminDesktopconfidential.docx (Modified) C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx (Modified)
Malware Report Malware Residues ( 3 out of 5 ) 7 7/16 Files Changed C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp (Created ,Deleted) C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp (Modified) C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx (Modified) C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx (Modified) C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp (Created ,Deleted) C:Documents and SettingsadminDesktop~SD1.tmp (Created ,Deleted)
Malware Report Malware Residues ( 4 out of 5 ) 8 8/16 Files Changed C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT (Created ,Modified) C:Documents and SettingsadminMy Documents~SD4.tmp (Created ,Deleted) C:te_files219161325495940.bat (Created) C:te_files@WanaDecryptor@.exe (Created) C:te_filestaskdl.exe (Created) C:te_filestaskse.exe (Created) Registry Keys Modified HKCUSoftwareMicrosoftMultimediaAudio (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression Manager (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 (Modified) HKCUSoftwareMicrosoftWindows Script HostSettings (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing (Modified) HKLMSOFTWAREMicrosoftCryptographyRNGSeed (Modified)
Malware Report Malware Residues ( 5 out of 5 ) 9 9/16 Registry Keys Modified HKLMSOFTWAREMicrosoftWindows Script HostSettings (Modified) HKLMSOFTWAREWanaCrypt0r (Modified) HKLMSOFTWAREWanaCrypt0rwd (Modified)
Malware Report Unexpected Activities By Time ( 1 out of 7 ) 10 10/16 Elapsed Time Type Action 00:00:04 Registry Create C:te_filesemulatedFile58511_1.exe Created HKLMSOFTWAREWanaCrypt0r 00:00:04 Registry Set C:te_filesemulatedFile58511_1.exe Set HKLMSOFTWAREWanaCrypt0rwd 00:00:05 File Create C:te_filesemulatedFile58511_1.exe Created C:te_filestaskdl.exe 00:00:05 File Create C:te_filesemulatedFile58511_1.exe Created C:te_filestaskse.exe 00:00:05 Process Creation C:te_filesemulatedFile58511_1.exe Created C:WINDOWSsystem32attrib.exe 00:00:09 Registry Set C:WINDOWSsystem32attrib.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:09 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression Manager 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 00:00:17 Process Termination C:te_filesemulatedFile58511_1.exe Terminated C:WINDOWSsystem32attrib.exe 00:00:17 Registry Set C:te_filesemulatedFile58511_1.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:19 Process Creation C:te_filesemulatedFile58511_1.exe Created C:te_filestaskdl.exe 00:00:20 Process Termination C:te_filesemulatedFile58511_1.exe Terminated C:te_filestaskdl.exe 00:00:21 Process Creation C:te_filesemulatedFile58511_1.exe Created C:WINDOWSsystem32cmd.exe 00:00:21 File Create C:te_filesemulatedFile58511_1.exe Created C:te_files@WanaDecryptor@.exe 00:00:21 File Create C:te_filesemulatedFile58511_1.exe Created C:te_files219161325495940.bat
Malware Report Unexpected Activities By Time ( 2 out of 7 ) 11 11/16 Elapsed Time Type Action 00:00:22 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop~SD1.tmp 00:00:22 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktop~SD1.tmp 00:00:22 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT 00:00:22 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopconfidential.docx 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:$LogFile 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop@Please_Read_Me@.txt 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktop@Please_Read_Me@.txt 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop@WanaDecryptor@.exe 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktop@WanaDecryptor@.exe 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp 00:00:23 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp
Malware Report Unexpected Activities By Time ( 3 out of 7 ) 12 12/16 Elapsed Time Type Action 00:00:24 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT 00:00:24 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT 00:00:25 Process Creation C:WINDOWSsystem32cmd.exe Created C:WINDOWSsystem32cscript.exe 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp
Malware Report Unexpected Activities By Time ( 4 out of 7 ) 13 13/16 Elapsed Time Type Action 00:00:25 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx 00:00:25 Registry Set C:WINDOWSsystem32cscript.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:26 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio 00:00:28 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression Manager 00:00:29 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM 00:00:29 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 00:00:29 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx.WNCRYT 00:00:29 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx.WNCRYT
Malware Report Unexpected Activities By Time ( 5 out of 7 ) 14 14/16 Elapsed Time Type Action 00:00:31 Registry Create C:WINDOWSsystem32cscript.exe Created HKLMSOFTWAREMicrosoftWindows Script HostSettings 00:00:31 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftWindows Script HostSettings 00:00:31 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx 00:00:32 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt 00:00:32 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt 00:00:33 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT 00:00:33 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT 00:00:34 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip 00:00:34 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT 00:00:34 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT
Malware Report Unexpected Activities By Time ( 6 out of 7 ) 15 15/16 Elapsed Time Type Action 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopa glimpse into the future.bmp 00:00:36 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp 00:00:36 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp 00:00:36 Registry Create C:te_filesemulatedFile58511_1.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders 00:00:36 Registry Create C:te_filesemulatedFile58511_1.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders 00:00:37 Registry Set C:te_filesemulatedFile58511_1.exe Set HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal 00:00:37 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminMy Documents~SD4.tmp 00:00:37 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminMy Documents~SD4.tmp 00:00:37 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT 00:00:37 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT
Malware Report Unexpected Activities By Time ( 7 out of 7 ) 16 16/16 Elapsed Time Type Action 00:00:37 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing 00:00:39 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminMy Documentsroadmap_2021.pptx
WannaCry emulation report

More Related Content

DOC
Hijack This
byKitty
 
PDF
Tenha um domínio do regedit do windows
byCarlos Catanejo
 
PDF
Malware analysis
byDen Iir
 
PPTX
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
PDF
InnoTech 2017_Defend_Against_Ransomware 3.0
byMichael Gough
 
PDF
Defending against Ransomware and what you can do about it
byJoAnna Cheshire
 
PDF
Email keeps getting us pwned v1.0
byMichael Gough
 
PDF
Email keeps getting us pwned v1.1
byMichael Gough
 
Hijack This
byKitty
 
Tenha um domínio do regedit do windows
byCarlos Catanejo
 
Malware analysis
byDen Iir
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
byJared Greenhill
 
InnoTech 2017_Defend_Against_Ransomware 3.0
byMichael Gough
 
Defending against Ransomware and what you can do about it
byJoAnna Cheshire
 
Email keeps getting us pwned v1.0
byMichael Gough
 
Email keeps getting us pwned v1.1
byMichael Gough
 

Similar to WannaCry emulation report

PDF
Email keeps getting us pwned - Avoiding Ransomware and malware
byMichael Gough
 
PDF
DIR ISF - Email keeps getting us pwned v1.1
byMichael Gough
 
PPTX
Virus & data protection by DKSoft
byDKSoft
 
PDF
Michelle K Webster: Malware - Cryptolocker Research Final
byM.K. Webster
 
PDF
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
byeightbit
 
PDF
Insurance Sector Targeted Malware Analysis Report
byBRANDEFENSE
 
PDF
What can you do about ransomware
byMichael Gough
 
PPTX
Windows forensic
byMD SAQUIB KHAN
 
PPT
Thou shalt not
bytaftosterone
 
PPTX
Introducing Intelligence Into Your Malware Analysis
byBrian Baskin
 
PPS
Windows xp(1)
byDina El Stohy
 
PPTX
Ransomware: WanaCry, WanCrypt
byYash Diwakar
 
PPT
so big 22
bycainem
 
PPTX
Dissecting the heart beat apt rat functionalities - Part 2
byn|u - The Open Security Community
 
PDF
ESET India Cyber Threat Trends Report Q1
byESET_India
 
PPT
so big
bycainem
 
PPT
so big ppt
bycainem
 
PDF
Computer viruses
byAlfred George
 
PDF
Deeplook into apt and how to detect and defend v1.0
byMichael Gough
 
DOCX
Run commands
byejaj ahmad
 
Email keeps getting us pwned - Avoiding Ransomware and malware
byMichael Gough
 
DIR ISF - Email keeps getting us pwned v1.1
byMichael Gough
 
Virus & data protection by DKSoft
byDKSoft
 
Michelle K Webster: Malware - Cryptolocker Research Final
byM.K. Webster
 
Defcon 25 Packet Hacking Village - Finding Your Way to Domain Access
byeightbit
 
Insurance Sector Targeted Malware Analysis Report
byBRANDEFENSE
 
What can you do about ransomware
byMichael Gough
 
Windows forensic
byMD SAQUIB KHAN
 
Thou shalt not
bytaftosterone
 
Introducing Intelligence Into Your Malware Analysis
byBrian Baskin
 
Windows xp(1)
byDina El Stohy
 
Ransomware: WanaCry, WanCrypt
byYash Diwakar
 
so big 22
bycainem
 
Dissecting the heart beat apt rat functionalities - Part 2
byn|u - The Open Security Community
 
ESET India Cyber Threat Trends Report Q1
byESET_India
 
so big
bycainem
 
so big ppt
bycainem
 
Computer viruses
byAlfred George
 
Deeplook into apt and how to detect and defend v1.0
byMichael Gough
 
Run commands
byejaj ahmad
 

Recently uploaded

PPTX
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPT
Information and Communication Technologies and Power
byJeffrey Hart
 
PPTX
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PPTX
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
PDF
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
PDF
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
PDF
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
PPTX
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
PDF
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PDF
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
PPTX
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
PPTX
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 
Cybersecurity Basics: Understanding Threats, Protection Methods, and Safe Dig...
byDhruvManiar3
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
Information and Communication Technologies and Power
byJeffrey Hart
 
Search Engine Responses to Conspiratorial Search Practices AANZCA 2025 Presen...
bykkasianenko
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
Introduction to Computer Network Concepts.pptx
byAnacrissa Soriano
 
IAC 500 Sensor - Humidity Measurement Device
byCS Instruments
 
splunk-peak-threat-hunting-framework.pdf
bylobster6719
 
Small Business Automation: A Comprehensive Cost and ROI Guide
byAmelia Swank
 
UNIT III TYPOLOGY OF CRIME AND CRIMINAL BEHAVIOUR (1).pptx
bybloodyhumanoid
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
कम्प्यूटर.pdf for all computer examination
bynm92169694
 
Unit 1.2 Components of a Computer System.pdf
bySanieBautista
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
The map to conquer linear algebra for IT engineer
byakipii ogaoga
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
Achieving Interoperability in Healthcare IT: A Strategic Guide
byHart, Inc.
 
Scrape YouTube Video Data for Influencer Analytics.pptx
byWeb Data Crawler
 
Digital transformation success powered by EPM and NexInfo.pptx
byjayasuryanexinfo
 

WannaCry emulation report

  • 1.
    Malware Report Emulated On:Microsoft Windows XP 32 bit, SP3, Office 2003, Office 2007, Adobe Acrobat Reader 9.0, Adobe Flash Player 9, Java SE 1.6.0 1 1/16 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c… Malicious Activity Detected Type Size MD5 SHA1 exe 3.4 MB 84c82835a5d21bbcf75a61706d8ab549 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 Download malicious file 22 Files Created 25 Files Modified 4 Files Deleted 33 Affected Files 4 Processes Created 2 Processes Terminated 0 Processes Crashed 4 Affected Processes 13 Entries Set 0 Entries Deleted 13 Affected Registry Keys 4 Suspicious Activities C:WINDOWSsystem32attrib.exe C:WINDOWSsystem32cmd.exe C:WINDOWSsystem32cscript.exe C:te_filestaskdl.exe C:$LogFile C:Documents and SettingsadminDesktop@Please_Read_Me@.txt C:Documents and SettingsadminDesktop@WanaDecryptor@.exe C:Documents and SettingsadminDesktopa glimpse into the future.bm… more Behaves like a known malware ( Generic.MALWARE.1b25 ) Malware activity observed ( Trojan-Ransom.Win32.Wanna.b ) Malware detected ( Gen:Variant.Graftor.369176 ) Malware signature matched ( Trojan-ransom.Win32.Wcry.U.lzpjh ) HKCUSoftwareMicrosoftMultimediaAudio HKCUSoftwareMicrosoftMultimediaAudio Compression Manager HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 more
  • 2.
  • 3.
  • 4.
    Malware Report Table ofContents 4 4/16 Malware Residues 5-9 Unexpected Activities By Time 10-16
  • 5.
    Malware Report Malware Residues( 1 out of 5 ) 5 5/16 Suspicious Activities Behaves like a known malware ( Generic.MALWARE.1b25 ) Malware activity observed ( Trojan-Ransom.Win32.Wanna.b ) Malware detected ( Gen:Variant.Graftor.369176 ) Malware signature matched ( Trojan-ransom.Win32.Wcry.U.lzpjh ) Processes Spawned or Interacted with C:WINDOWSsystem32attrib.exe (Terminated ,Started) C:WINDOWSsystem32cmd.exe (Started) C:WINDOWSsystem32cscript.exe (Started) C:te_filestaskdl.exe (Terminated ,Started) Files Changed C:$LogFile (Modified) C:Documents and SettingsadminDesktop@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktop@WanaDecryptor@.exe (Created ,Modified) C:Documents and SettingsadminDesktopa glimpse into the future.bmp (Modified) C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT (Created ,Modified)
  • 6.
    Malware Report Malware Residues( 2 out of 5 ) 6 6/16 Files Changed C:Documents and SettingsadminDesktopconfidential.docx (Modified) C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx (Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx (Modified)
  • 7.
    Malware Report Malware Residues( 3 out of 5 ) 7 7/16 Files Changed C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp (Created ,Deleted) C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp (Modified) C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx (Modified) C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx (Modified) C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT (Created ,Modified) C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp (Created ,Deleted) C:Documents and SettingsadminDesktop~SD1.tmp (Created ,Deleted)
  • 8.
    Malware Report Malware Residues( 4 out of 5 ) 8 8/16 Files Changed C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT (Created ,Modified) C:Documents and SettingsadminMy Documents~SD4.tmp (Created ,Deleted) C:te_files219161325495940.bat (Created) C:te_files@WanaDecryptor@.exe (Created) C:te_filestaskdl.exe (Created) C:te_filestaskse.exe (Created) Registry Keys Modified HKCUSoftwareMicrosoftMultimediaAudio (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression Manager (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM (Modified) HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 (Modified) HKCUSoftwareMicrosoftWindows Script HostSettings (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders (Modified) HKCUSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing (Modified) HKLMSOFTWAREMicrosoftCryptographyRNGSeed (Modified)
  • 9.
    Malware Report Malware Residues( 5 out of 5 ) 9 9/16 Registry Keys Modified HKLMSOFTWAREMicrosoftWindows Script HostSettings (Modified) HKLMSOFTWAREWanaCrypt0r (Modified) HKLMSOFTWAREWanaCrypt0rwd (Modified)
  • 10.
    Malware Report Unexpected ActivitiesBy Time ( 1 out of 7 ) 10 10/16 Elapsed Time Type Action 00:00:04 Registry Create C:te_filesemulatedFile58511_1.exe Created HKLMSOFTWAREWanaCrypt0r 00:00:04 Registry Set C:te_filesemulatedFile58511_1.exe Set HKLMSOFTWAREWanaCrypt0rwd 00:00:05 File Create C:te_filesemulatedFile58511_1.exe Created C:te_filestaskdl.exe 00:00:05 File Create C:te_filesemulatedFile58511_1.exe Created C:te_filestaskse.exe 00:00:05 Process Creation C:te_filesemulatedFile58511_1.exe Created C:WINDOWSsystem32attrib.exe 00:00:09 Registry Set C:WINDOWSsystem32attrib.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:09 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression Manager 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM 00:00:13 Registry Create C:WINDOWSsystem32attrib.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 00:00:17 Process Termination C:te_filesemulatedFile58511_1.exe Terminated C:WINDOWSsystem32attrib.exe 00:00:17 Registry Set C:te_filesemulatedFile58511_1.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:19 Process Creation C:te_filesemulatedFile58511_1.exe Created C:te_filestaskdl.exe 00:00:20 Process Termination C:te_filesemulatedFile58511_1.exe Terminated C:te_filestaskdl.exe 00:00:21 Process Creation C:te_filesemulatedFile58511_1.exe Created C:WINDOWSsystem32cmd.exe 00:00:21 File Create C:te_filesemulatedFile58511_1.exe Created C:te_files@WanaDecryptor@.exe 00:00:21 File Create C:te_filesemulatedFile58511_1.exe Created C:te_files219161325495940.bat
  • 11.
    Malware Report Unexpected ActivitiesBy Time ( 2 out of 7 ) 11 11/16 Elapsed Time Type Action 00:00:22 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop~SD1.tmp 00:00:22 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktop~SD1.tmp 00:00:22 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT 00:00:22 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopconfidential.docx.WNCRYT 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopconfidential.docx 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:$LogFile 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop@Please_Read_Me@.txt 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktop@Please_Read_Me@.txt 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktop@WanaDecryptor@.exe 00:00:23 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktop@WanaDecryptor@.exe 00:00:23 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp 00:00:23 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktopimportant DOCs~SD2.tmp
  • 12.
    Malware Report Unexpected ActivitiesBy Time ( 3 out of 7 ) 12 12/16 Elapsed Time Type Action 00:00:24 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT 00:00:24 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsconfidential.docx 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx.WNCRYT 00:00:25 Process Creation C:WINDOWSsystem32cmd.exe Created C:WINDOWSsystem32cscript.exe 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsroadmap_2021.pptx 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCs@Please_Read_Me@.txt 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp
  • 13.
    Malware Report Unexpected ActivitiesBy Time ( 4 out of 7 ) 13 13/16 Elapsed Time Type Action 00:00:25 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminDesktopimportant DOCsClassifed~SD3.tmp 00:00:25 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx.WNCRYT 00:00:25 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedconfidential.docx 00:00:25 Registry Set C:WINDOWSsystem32cscript.exe Set HKLMSOFTWAREMicrosoftCryptographyRNGSeed 00:00:26 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio 00:00:28 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression Manager 00:00:29 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerMSACM 00:00:29 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftMultimediaAudio Compression ManagerPriority v4.00 00:00:29 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx.WNCRYT 00:00:29 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx.WNCRYT
  • 14.
    Malware Report Unexpected ActivitiesBy Time ( 5 out of 7 ) 14 14/16 Elapsed Time Type Action 00:00:31 Registry Create C:WINDOWSsystem32cscript.exe Created HKLMSOFTWAREMicrosoftWindows Script HostSettings 00:00:31 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftWindows Script HostSettings 00:00:31 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifedroadmap_2021.pptx 00:00:32 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt 00:00:32 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed@Please_Read_Me@.txt 00:00:33 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT 00:00:33 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip.WNCRYT 00:00:34 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifed.zip 00:00:34 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT 00:00:34 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopa glimpse into the future.bmp.WNCRYT
  • 15.
    Malware Report Unexpected ActivitiesBy Time ( 6 out of 7 ) 15 15/16 Elapsed Time Type Action 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopa glimpse into the future.bmp 00:00:36 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsa glimpse into the future.bmp 00:00:36 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp.WNCRYT 00:00:36 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminDesktopimportant DOCsClassifeda glimpse.bmp 00:00:36 Registry Create C:te_filesemulatedFile58511_1.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerUser Shell Folders 00:00:36 Registry Create C:te_filesemulatedFile58511_1.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders 00:00:37 Registry Set C:te_filesemulatedFile58511_1.exe Set HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal 00:00:37 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminMy Documents~SD4.tmp 00:00:37 File Delete C:te_filesemulatedFile58511_1.exe Deleted C:Documents and SettingsadminMy Documents~SD4.tmp 00:00:37 File Create C:te_filesemulatedFile58511_1.exe Created C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT 00:00:37 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminMy Documentsroadmap_2021.pptx.WNCRYT
  • 16.
    Malware Report Unexpected ActivitiesBy Time ( 7 out of 7 ) 16 16/16 Elapsed Time Type Action 00:00:37 Registry Create C:WINDOWSsystem32cscript.exe Created HKCUSoftwareMicrosoftWindowsCurrentVersionWinTrustTrust ProvidersSoftware Publishing 00:00:39 File Write C:te_filesemulatedFile58511_1.exe Wrote To C:Documents and SettingsadminMy Documentsroadmap_2021.pptx