W32/WannaCryptor.D!tr.ransom

Analysis

W32/WannaCryptor.D!tr is a generic detection for a variant of the WannaCryptor ransomware. It has the capability to encrypt a wide array of files. It appends encrypted files with the ".wncry" extension and displays a message window with instructions on how users can recover their files. Since this is a generic detection, files that are detected as W32/WannaCryptor.D!tr may have varying behaviour. For more information, please refer to the description for W32/WannaCryptor!tr.
Below are the behavior that this variant exhibits:

• It connects to the following domain:
  
  • iuqer{Removed}.com
  This is considered the trojan's killswitch. If a connection has been established, the malware does not carry out the rest of its malicious actions.


• It executes itself again as the service "mssecv2.0" with the name "Microsoft Security Center (2.0) Service" and with the parameter "-m security".


• It drops the file "C:\WINDOWS\tasksche.exe". This is also detected as W32/WannaCryptor.D!tr.


• It drops the file @WanaDecryptor@.exe  into every folder. This is detected as W32/WannaCryptor.E!tr.


• It runs the following process to delete volume shadow copies, backups, and prevent startup repair:
  cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet


• It runs the following process to change file permissions:
  icacls . /grant Everyone:F /T /C /Q


• It uses the Microsoft Windows SMB Server Vulnerability. This vulnerability, which is also identified as CVE-2017-0144, was prominently used in the Eternal Blue exploit.


• It encrypts files with the following extensions:
  • 123
  • 602
  • 3dm
  • 3ds
  • 3g2
  • 3gp
  • 7z
  • accdb
  • aes
  • ai
  • ARC
  • asc
  • asf
  • asm
  • asp
  • avi
  • backup
  • bak
  • bat
  • bmp
  • brd
  • bz2
  • c
  • cgm
  • class
  • cmd
  • cpp
  • crt
  • cs
  • csr
  • csv
  • db
  • dbf
  • dch
  • der
  • dif
  • dip
  • djv
  • doc
  • docb
  • docm
  • docx
  • dot
  • dotm
  • dotx
  • dwg
  • edb
  • eml
  • fla
  • flv
  • frm
  • gif
  • gpg
  • gz
  • h
  • hwp
  • ibd
  • iso
  • jar
  • jav
  • jpeg
  • jpg
  • js
  • jsp
  • key
  • lay
  • lay6
  • ldf
  • m3u
  • m4u
  • max
  • mdb
  • mdf
  • mid
  • mkv
  • mml
  • mov
  • mp3
  • mp4
  • mpeg
  • mpg
  • msg
  • myd
  • myi
  • nef
  • odb
  • odg
  • odp
  • ods
  • odt
  • onetoc2
  • ost
  • otg
  • otp
  • ots
  • ott
  • p12
  • PAQ
  • pas
  • pdf
  • pem
  • pfx
  • php
  • pl
  • png
  • pot
  • potm
  • potx
  • ppam
  • pps
  • ppsm
  • ppsx
  • ppt
  • pptm
  • pptx
  • ps1
  • psd
  • pst
  • rar
  • raw
  • rb
  • rtf
  • sch
  • sh
  • sldm
  • sldm
  • sldx
  • slk
  • sln
  • snt
  • sql
  • sqlite3
  • sqlitedb
  • stc
  • std
  • sti
  • stw
  • suo
  • svg
  • swf
  • sxc
  • sxd
  • sxi
  • sxm
  • sxw
  • tar
  • tbk
  • tgz
  • tif
  • tiff
  • txt
  • uop
  • uot
  • vb
  • vbs
  • vcd
  • vdi
  • vmdk
  • vmx
  • vob
  • vsd
  • vsdx
  • wav
  • wb2
  • wk1
  • wks
  • wma
  • wmv
  • xlc
  • xlm
  • xls
  • xlsb
  • xlsm
  • xlsx
  • xlt
  • xltm
  • xltx
  • xlw
  • zip

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database./li>
• Quarantine/delete files that are detected and replace infected files with clean backup copies.
• Download and install the patch for the Microsoft Windows SMB Server Vulnerability at https://technet.microsoft.com/library/security/MS17-010.