WannaCry
December 21, 2023 ยท View on GitHub
| ID | X0043 |
| Type | Ransomware |
| Aliases | None |
| Platforms | Windows |
| Year | 2017 |
| Associated ATT&CK Software | WannaCry |
WannaCry
WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread across a computer network using the SMBv1 exploit EternalBlue. [1]
ATT&CK Techniques
See ATT&CK: WannaCry - Techniques Used.
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Defense Evasion:: Hidden Files and Directories(F0005.003) | WannaCry uses the +h attribute to hide its files. [1] |
| Persistence::Registry Run Keys / Startup Folder (F0012) | WannaCry creates two registry run keys to ensure persistence. [1] |
| Defense-Evasion::Self Deletion (F0007) | WannaCry looks for a DNS entry and if the entry exists, it terminates and deletes itself. [1] |
| Impact::Data Encrypted for Impact (E1486) | WannaCry encrypts files for ransom. [1] |
MBC Behaviors
| Name | Use |
|---|---|
| Discovery::Self Discovery (B0038) | WannaCry checks the size of the file it loads into memory. [1] |
| Discovery::Self Discovery (B0038.002) | WannaCry checks a string, keylen and a magic number before decrypting a dll. [1] |
| Discovery::Self Discovery (B0038.003) | WannaCry checks the data lengh of a section before decypting a dll. [1] |
Indicators of Compromise
MD5 Hashes
- db349b97c37d22f5ea1d1841e3c89eb4
- 84c82835a5d21bbcf75a61706d8ab549
- f351e1fcca0c4ea05fc44d15a17f8b36
- 7bf2b57f2a205768755c07f238fb32cc
References
[1] https://www.mandiant.com/resources/blog/wannacry-malware-profile