title: WannaCry Ransomware
id: 41d40bff-377a-43e2-8e1b-2e543069e079
status: experimental
description: Detects WannaCry ransomware activity
references:
    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
author: Florian Roth (rule), Tom U. @c_APT_ure (collection)
date: 2019/01/16
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image:
            - '*\tasksche.exe'
            - '*\mssecsvc.exe'
            - '*\taskdl.exe'
            - '*\@WanaDecryptor@*'
            - '*\WanaDecryptor*'
            - '*\taskhsvc.exe'
            - '*\taskse.exe'
            - '*\111.exe'
            - '*\lhdfrgui.exe'
            - '*\diskpart.exe'
            - '*\linuxnew.exe'
            - '*\wannacry.exe'
    selection2:
        CommandLine:
            - '*icacls * /grant Everyone:F /T /C /Q*'
            - '*bcdedit /set {default} recoveryenabled no*'
            - '*wbadmin delete catalog -quiet*'
            - '*@Please_Read_Me@.txt*'
    condition: 1 of them
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - Diskpart.exe usage to manage partitions on the local hard drive
level: critical