WannaCry
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 | ||
| Enterprise | T1090 | .003 | 代理: Multi-hop Proxy | |
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
WannaCry creates the service "mssecsvc2.0" with the display name "Microsoft Security Center (2.0) Service."[1][4] |
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.[5] |
| Enterprise | T1120 | 外围设备发现 |
WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device.[4] |
|
| Enterprise | T1486 | 数据加密以实现影响 |
WannaCry encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files.[1][4][5] |
|
| Enterprise | T1083 | 文件和目录发现 |
WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.[1][4] |
|
| Enterprise | T1222 | .001 | 文件和目录权限修改: Windows File and Directory Permissions Modification |
WannaCry uses |
| Enterprise | T1489 | 服务停止 |
WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores.[4][5] |
|
| Enterprise | T1570 | 横向工具传输 |
WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.[1] |
|
| Enterprise | T1490 | 系统恢复抑制 |
WannaCry uses |
|
| Enterprise | T1016 | 系统网络配置发现 |
WannaCry will attempt to determine the local network segment it is a part of.[5] |
|
| Enterprise | T1563 | .002 | 远程服务会话劫持: RDP Hijacking |
WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.[1] |
| Enterprise | T1210 | 远程服务漏洞利用 |
WannaCry uses an exploit in SMBv1 to spread itself to other remote systems on a network.[1][4][2] |
|
| Enterprise | T1018 | 远程系统发现 |
WannaCry scans its local network segment for remote systems to try to exploit and copy itself to.[5] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
WannaCry uses |
| ICS | T0866 | Exploitation of Remote Services |
WannaCry initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. [6] |
|
| ICS | T0867 | Lateral Tool Transfer |
WannaCry can move laterally through industrial networks by means of the SMB service. [6] |
|
Groups That Use This Software
References
- Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved December 8, 2024.
- US-CERT. (2017, May 12). Alert (TA17-132A): Indicators Associated With WannaCry Ransomware. Retrieved March 25, 2019.
- Dwoskin, E. and Adam, K. (2017, May 14). More than 150 countries affected by massive cyberattack, Europol says. Retrieved March 25, 2019.
- Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.