title: WannaCry Ransomware status: experimental description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) logsource: category: process_creation product: windows detection: selection1: Image: - '*\tasksche.exe' - '*\mssecsvc.exe' - '*\taskdl.exe' - '*\@WanaDecryptor@*' - '*\WanaDecryptor*' - '*\taskhsvc.exe' - '*\taskse.exe' - '*\111.exe' - '*\lhdfrgui.exe' - '*\diskpart.exe' - '*\linuxnew.exe' - '*\wannacry.exe' selection2: CommandLine: - '*icacls * /grant Everyone:F /T /C /Q*' - '*bcdedit /set {default} recoveryenabled no*' - '*wbadmin delete catalog -quiet*' - '*@Please_Read_Me@.txt*' condition: 1 of them fields: - CommandLine - ParentCommandLine falsepositives: - Diskpart.exe usage to manage partitions on the local hard drive level: critical