title: WannaCry Ransomware
id: 41d40bff-377a-43e2-8e1b-2e543069e079
status: experimental
description: Detects WannaCry ransomware activity
references:
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
date: 2019/01/16
modified: 2020/09/01
tags:
    - attack.lateral_movement
    - attack.t1210
    - attack.discovery
    - attack.t1083
    - attack.defense_evasion
    - attack.t1222.001
    - attack.t1222  # an old one
    - attack.impact
    - attack.t1486
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        - Image|endswith:
            - '\tasksche.exe'
            - '\mssecsvc.exe'
            - '\taskdl.exe'
            - '\taskhsvc.exe'
            - '\taskse.exe'
            - '\111.exe'
            - '\lhdfrgui.exe'
            - '\diskpart.exe'
            - '\linuxnew.exe'
            - '\wannacry.exe'
        - Image|contains: 'WanaDecryptor'
    selection2:
        - CommandLine|contains|all:
            - 'icacls'
            - '/grant'
            - 'Everyone:F'
            - '/T'
            - '/C'
            - '/Q'
        - CommandLine|contains|all:
            - 'bcdedit'
            - '/set'
            - '{default}'
            - 'recoveryenabled'
            - 'no'
        - CommandLine|contains|all:
            - 'wbadmin'
            - 'delete'
            - 'catalog'
            - '-quiet'
        - CommandLine|contains: '@Please_Read_Me@.txt'
    condition: 1 of them
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Diskpart.exe usage to manage partitions on the local hard drive
level: critical