title: WannaCry Ransomware id: 41d40bff-377a-43e2-8e1b-2e543069e079 status: experimental description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) date: 2019/01/16 modified: 2020/09/01 tags: - attack.lateral_movement - attack.t1210 - attack.discovery - attack.t1083 - attack.defense_evasion - attack.t1222.001 - attack.t1222 # an old one - attack.impact - attack.t1486 - attack.t1490 logsource: category: process_creation product: windows detection: selection1: Image: - '*\tasksche.exe' - '*\mssecsvc.exe' - '*\taskdl.exe' - '*\@WanaDecryptor@*' - '*\WanaDecryptor*' - '*\taskhsvc.exe' - '*\taskse.exe' - '*\111.exe' - '*\lhdfrgui.exe' - '*\diskpart.exe' - '*\linuxnew.exe' - '*\wannacry.exe' selection2: CommandLine: - '*icacls * /grant Everyone:F /T /C /Q*' - '*bcdedit /set {default} recoveryenabled no*' - '*wbadmin delete catalog -quiet*' - '*@Please_Read_Me@.txt*' condition: 1 of them fields: - CommandLine - ParentCommandLine falsepositives: - Diskpart.exe usage to manage partitions on the local hard drive level: critical