WannaCry Ransomware Activity

 1title: WannaCry Ransomware Activity
 2id: 41d40bff-377a-43e2-8e1b-2e543069e079
 3status: test
 4description: Detects WannaCry ransomware activity
 5references:
 6    - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
 7author: Florian Roth (Nextron Systems), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro
 8date: 2019/01/16
 9modified: 2023/02/03
10tags:
11    - attack.lateral_movement
12    - attack.t1210
13    - attack.discovery
14    - attack.t1083
15    - attack.defense_evasion
16    - attack.t1222.001
17    - attack.impact
18    - attack.t1486
19    - attack.t1490
20    - detection.emerging_threats
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection1:
26        - Image|endswith:
27              - '\tasksche.exe'
28              - '\mssecsvc.exe'
29              - '\taskdl.exe'
30              - '\taskhsvc.exe'
31              - '\taskse.exe'
32              - '\111.exe'
33              - '\lhdfrgui.exe'
34              # - '\diskpart.exe'  # cannot be used in a rule of level critical
35              - '\linuxnew.exe'
36              - '\wannacry.exe'
37        - Image|contains: 'WanaDecryptor'
38    selection2:
39        - CommandLine|contains|all:
40              - 'icacls'
41              - '/grant'
42              - 'Everyone:F'
43              - '/T'
44              - '/C'
45              - '/Q'
46        - CommandLine|contains|all:
47              - 'bcdedit'
48              - '/set'
49              - '{default}'
50              - 'recoveryenabled'
51              - 'no'
52        - CommandLine|contains|all:
53              - 'wbadmin'
54              - 'delete'
55              - 'catalog'
56              - '-quiet'
57        - CommandLine|contains: '@Please_Read_Me@.txt'
58    condition: 1 of selection*
59fields:
60    - CommandLine
61    - ParentCommandLine
62falsepositives:
63    - Unknown
64level: critical