{
	"id": "29c4b7a3-a323-4782-8277-f0553d95c6b4",
	"created_at": "2026-04-06T00:07:05.733936Z",
	"updated_at": "2026-04-10T03:20:47.533123Z",
	"deleted_at": null,
	"sha1_hash": "956309a9915f74f31fc086973764c850cfd106c5",
	"title": "A Technical Analysis of WannaCry Ransomware | LogRhythm",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2377011,
	"plain_text": "A Technical Analysis of WannaCry Ransomware | LogRhythm\r\nBy LogRhythm\r\nPublished: 2017-05-16 · Archived: 2026-04-05 12:44:38 UTC\r\nContributors to this in-depth research analysis include Erika Noerenberg, Andrew Costis, and Nathanial Quist—\r\nall members of the LogRhythm Labs research group.\r\nSummary\r\nRansomware that has been publicly named “WannaCry,” “WCry” or “WanaCrypt0r” (based on strings in the\r\nbinary and encrypted files) has spread to at least 74 countries as of Friday 12 May 2017, reportedly targeting\r\nRussia initially, and spreading to telecommunications, shipping, car manufacturers, universities and health care\r\nindustries, among others. The malware encrypts user files, demanding a fee of either $300 or $600 worth of\r\nbitcoins to an address specified in the instructions displayed after infection.\r\nThe WannaCry ransomware is composed of multiple components. An initial dropper contains the encrypter as an\r\nembedded resource; the encrypter component contains a decryption application (“Wana Decrypt0r 2.0”), a\r\npassword-protected zip containing a copy of Tor, and several individual files with configuration information and\r\nencryption keys. It is not conclusively known as of this report what vector was used for the initial infection. There\r\nwas speculation that a weaponized PDF was circulated in a phishing campaign, but analysts have not confirmed\r\nthis conjecture, and the supposed PDF sample obtained by LogRhythm analysts was not functional.\r\nWannaCry Analysis\r\nMultiple samples of the WannaCry dropper have been identified by researchers; although they share similar\r\nfunctionality, the samples differ slightly. The dropper sample, encrypter, and decrypter analyzed in this report have\r\nthe following SHA256 hash values:\r\nDropper 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\r\nEncrypter ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\r\nDecrypter b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\r\nThe authors did not appear to be concerned with thwarting analysis, as the samples analyzed have contained little\r\nif any obfuscation, anti-debugging, or VM-aware code. However, the malware makes use of an exploit developed\r\nby NSA analysts which was patched by Microsoft 14 March 2017 (MS17-010, see\r\nhttps://technet.microsoft.com/en-us/library/security/ms17-010.aspx for details), although there are many\r\nunpatched systems still vulnerable. Applying this patch will mitigate the spread of WannaCry, but will not prevent\r\ninfection.\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 1 of 16\n\nThe exploit used, named EternalBlue, exploits a vulnerability in the Server Message Block (SMB) protocol which\r\nallows the malware to spread to all unpatched Windows systems from XP to 2016 on a network that have this\r\nprotocol enabled. This vulnerability allows remote code execution over SMB v1. WannaCry utilizes this exploit\r\nby crafting a custom SMB session request with hard-coded values based on the target system. Notably, after the\r\nfirst SMB packet sent to the victim’s IP address, the malware sends two additional packets to the victim containing\r\nthe hard-coded IP addresses 192.168.56.20 and 172.16.99.5. A LogRhythm Network Monitoring (NetMon) query\r\nrule to detect this traffic is included at the end of this report.\r\nClick images to expand\r\nFigure 1: Sample SMB Packet\r\nWhen the dropper is executed, it first attempts to make a connection to the domain\r\nhttp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com and exits if the connection is successful. This\r\ndomain was previously unregistered, causing this connection to fail. On the afternoon of May 12; however, this\r\ndomain was registered and sinkholed by researcher MalwareTech, effectively acting as a “killswitch” for many\r\nsystems, and thereby slowing the rate of infection. However, the method by which the malware opens the\r\nconnection does not affect systems connecting through a proxy server, leaving those systems still vulnerable.\r\nIf the connection fails, the dropper attempts to create a service named “mssecsvc2.0” with the DisplayName\r\n“Microsoft Security Center (2.0) Service”. This can be observed in the System event log as event ID 7036,\r\nindicating that the service has started.\r\nThe System event log will also display event ID 7036 indicating that the service has started.\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 2 of 16\n\nFigure 2: Event ID 7036\r\nThe dropper then extracts the encrypter binary from its resource R/1831, writes it to the hardcoded filename\r\n%WinDir%\\tasksche.exe, and then executes it.\r\nWhen executed, the encrypter checks to see if the mutex “MsWinZonesCacheCounterMutexA0” exists, and will\r\nnot proceed if present. Notably, the malware does not then create this mutex, suggesting that it is checking for the\r\npresence of other software on the system, as seen in the figure below:\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 3 of 16\n\nFigure 3: Encrypter Checks to See if the Mutex Exists\r\nThe encrypter binary also contains a password-protected zip file (password: WNcry@2ol7) containing the\r\nfollowing files:\r\nA directory named “msg” containing Rich Text Format files with the extension .wnry. These files are the\r\n“Readme” file used by the @WanaDecryptor@.exe decrypter program in each of the following languages:\r\nbulgarian english italian romanian\r\nchinese (simplified) filipino japanese russian\r\nchinese (traditional) finnish korean slovak\r\ncroatian french latvian spanish\r\nczech german norwegian swedish\r\ndanish greek polish turkish\r\ndutch indonesian portuguese vietnamese\r\nThe English and Spanish translations (at least) of the decryption message appear to be machine-translated, as there\r\nare grammatical mistakes that would not be expected from native speakers.\r\nb.wnry, a bitmap file displaying instructions for decryption\r\nc.wnry, containing the following addresses:\r\ngx7ekbenv2riucmf.onion\r\n57g7spgrzlojinas.onion\r\nxxlvbrloxvriy2c5.onion\r\n76jdd2ir2embyv47.onion\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 4 of 16\n\ncwwnhwhlz52maqm7.onion\r\nhttps://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip\r\nr.wnry, additional decryption instructions used by the decrypter tool, in English\r\ns.wnry, a zip file containing the Tor software executable\r\nt.wnry, encrypted using the WANACRY! encryption format, where “WANACRY!” is the file header\r\ntaskdl.exe, (hash 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79), file\r\ndeletion tool\r\ntaskse.exe, (hash 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d),\r\nenumerates Remote Desktop Protocol (RDP) sessions and executes the malware on each session\r\nu.wnry (hash b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25),\r\n“@WanaDecryptor@.exe” decrypter file\r\nAfter dropping these files to its working directory, the malware attempts to change the attributes of all the files to\r\n“hidden” and grant full access to all files in the current directory and any directories below. It does this by\r\nexecuting “attrib +h .”, followed by “icacls . /grant Everyone:F /T /C /Q”.\r\nFigure 4: Execution of “attrib +h .” Followed by “icacls_GrantEv”\r\nWannaCry then proceeds to encrypt files on the system, searching for the following file extensions, which are\r\nhard-coded in the binary:\r\n.docx .ppam .sti .vcd .3gp .sch .myd .wb2\r\n.docb .potx .sldx .jpeg .mp4 .dch .frm .slk\r\n.docm .potm .sldm .jpg .mov .dip .odb .dif\r\n.dot .pst .sldm .bmp .avi .pl .dbf .stc\r\n.dotm .ost .vdi .png .asf .vb .db .sxc\r\n.dotx .msg .vmdk .gif .mpeg .vbs .mdb .ots\r\n.xls .eml .vmx .raw .vob .ps1 .accdb .ods\r\n.xlsm .vsd .aes .tif .wmv .cmd .sqlitedb .max\r\n.xlsb .vsdx .ARC .tiff .fla .js .sqlite3 .3ds\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 5 of 16\n\n.xlw .txt .PAQ .nef .swf .asm .asc .uot\r\n.xlt .csv .bz2 .psd .wav .h .lay6 .stw\r\n.xlm .rtf .tbk .ai .mp3 .pas .lay .sxw\r\n.xlc .123 .bak .svg .sh .cpp .mml .ott\r\n.xltx .wks .tar .djvu .class .c .sxm .odt\r\n.xltm .wk1 .tgz .m4u .jar .cs .otg .pem\r\n.ppt .pdf .gz .m3u .java .suo .odg .p12\r\n.pptx .dwg .7z .mid .rb .sln .uop .csr\r\n.pptm .onetoc2 .rar .wma .asp .ldf .std .crt\r\n.pot .snt .zip .flv .php .mdf .sxd .key\r\n.pps .hwp .backup .3g2 .jsp .ibd .otp .pfx\r\n.ppsm .602 .iso .mkv .brd .myi .odp .der\r\n.ppsx .sxi\r\nIn addition, a registry key is written to “HKLM\\SOFTWARE\\Wow6432Node\\WanaCrypt0r\\wd” that adds a key to\r\nreference the location from which WannaCry was originally executed.\r\nThe WannaCry encrypter launches the embedded decrypter binary “@WanaDecryptor@.exe,” which displays two\r\ntimers and instructions for sending the ransom in the configured language of the infected system. The instructions\r\ndemand a payment of $300 worth of bitcoins to a specified address. The following addresses are hardcoded in the\r\nbinary, although only the first was observed to be used by the analyzed sample:\r\n12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw\r\n115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn\r\n13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94\r\nFigure 5: Addresses Hardcoded in Binary\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 6 of 16\n\nThe following is a screenshot of the “Wana Decrypt0r 2.0” program:\r\nFigure 6: Screenshot of Wana Decrypt0r 2.0 Program\r\nThe malware also displays the following bitmap image contained in “b.wnry” on the desktop, in case the “Wana\r\nDecrypt0r” program failed to execute:\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 7 of 16\n\nFigure 7: Bitmap Image Contained in “b.wnry” Displayed on Desktop\r\nIf the ransom is not paid before the first timer expires, the ransom price doubles. After the second timer expires,\r\nthe malware readme states that the files will be unrecoverable. Once the files are encrypted, they are\r\nunrecoverable without the decryption key. The malware uses the Microsoft Enhanced RSA and AES\r\nCryptographic Provider libraries to perform the encryption.\r\nAfter the files are encrypted, the decrypter program attempts to delete any Windows Shadow Copies via this\r\ncommand:\r\ncmd.exe /c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026 bcdedit /set {default}\r\nbootstatuspolicy ignoreallfailures \u0026 bcdedit /set {default} recoveryenabled no \u0026 wbadmin delete catalog –\r\nquiet\r\nWannaCry Mitigation\r\nIf a system becomes infected with the WannaCry ransomware, it is best to try to restore files from backup rather\r\nthan paying the ransom, as there is no guarantee that payment will lead to successful decryption.\r\nIn order to prevent infection and the spread of this malware across the network, all Windows systems should be up\r\nto date on current patches and antivirus signatures. Additionally, blocking inbound connections to SMB ports (139\r\nand 445) will prevent the spread of the malware to systems still vulnerable to the patched exploit.\r\nFor further guidance, refer to the following Microsoft blog article which references an emergency patch that was\r\nissued for customers who are running unsupported operating systems:\r\nhttps://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/\r\nLogRhythm Signatures\r\nWannaCry_Command Arguments\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 8 of 16\n\nFigure 8: WannaCry_Command Arguments\r\nWannaCry_Initial Callout\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 9 of 16\n\nFigure 9: WannaCry_Initial Callout\r\nWannaCry_RegistryKeyCreation\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 10 of 16\n\nFigure 10: WannaCry_RegistryKeyCreation\r\nWannaCry_Tor-EncryptorFile\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 11 of 16\n\nFigure 11: WannaCry_Tor-EncryptorFile\r\nNetMon Query Rules\r\nThe following signatures can identify the initial WannaCry dropper SMB exploit. These signatures may generate\r\nfalse positives in some network environments.\r\n| Application:SMB AND Version:1 AND CommandString:*transaction2_secondary* |\r\n| Application:SMB AND Version:1 AND (Path:192.168.56.20 OR Path:172.16.99.5) |\r\nIndicators of Compromise\r\nSHA256 Hash Values\r\ned01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa\r\nc365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9\r\n09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa\r\n0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894\r\n428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 12 of 16\n\n5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6\r\n62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1\r\n72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd\r\n85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186\r\na1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b\r\na93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3\r\nb43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c\r\neb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4\r\n24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c\r\n2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e\r\n7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545\r\na897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b\r\nfb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc\r\n9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967\r\n4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982\r\n149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff\r\n190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e\r\n2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd\r\n593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af\r\n5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec\r\n7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff\r\n9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640\r\n9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977\r\nb47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0\r\nb66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4\r\nd8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127\r\nf8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85\r\n11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49\r\n16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab\r\n6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7\r\nb3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7\r\ne14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079\r\ne8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96\r\n0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a\r\n9b3262b9faecb28da4637444f54c060c8d884c3e8cf676815e8ae5a72af48ed4\r\nd5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa\r\n1465987e3c28369e337f00e59105dea06a3d34a94c2a290caed887e2fed785ac\r\n402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c\r\ne18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b\r\n97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6\r\n4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79\r\n2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d\r\nb9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25\r\n4870714e654ad4ca7b480b81195f29c56353c6f42d66754ad414c1bc1d25fbb9\r\nbdc8f135484daf898c6d76a244e630a797652b0af1722712515ce844c66bf4af\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 13 of 16\n\n71b25aeae6470f9ab93db1e80a500bf61282ae8dc505a8e3c781309e46037613\r\n963caaac4a537ad1250fe77510906236261bc7b8ac3c72269d6c059cb5f8f71d\r\nAI Engine Rules (For LogRhythm Customers)\r\nIn our ongoing effort to analyze and respond to the WannaCry malware outbreak, we’ve created a set of exported\r\nrules for our customers. Following are step-by-step instructions for importing the rules into your LogRhythm\r\nenvironment.\r\nAI Engine Rule Import Procedure\r\nDownload the AI Engine Rules\r\nOpen the LogRhythm Console.\r\nNavigate to the AI Engine Tab via Deployment Manager \u003e AI Engine Tab.\r\nFigure 12: AI Engine Tab\r\nSelect the pull-down menu “Actions,” and then select “Import.”\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 14 of 16\n\nFigure 13: Pull-Down Menu \u003e Actions \u003e Import\r\nSelect the .airx (AI Rules File Format) files you wish to import, and select “Open.”\r\nFigure 14: Import .airx Files\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 15 of 16\n\nUpon a successful import, you will be presented with the following pop-up window:\r\nFigure 15: Confirmation\r\nIt is possible that an error will appear stating that the KB version is out of date with the AI Engine Rules selected\r\nfor import. If this occurs, upgrade your KB to the latest version, and perform this procedure again.\r\nSubscribe to our Blog Newsletter\r\nSource: https://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nhttps://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20230522041200/https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/"
	],
	"report_names": [
		"a-technical-analysis-of-wannacry-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434025,
	"ts_updated_at": 1775791247,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/956309a9915f74f31fc086973764c850cfd106c5.pdf",
		"text": "https://archive.orkl.eu/956309a9915f74f31fc086973764c850cfd106c5.txt",
		"img": "https://archive.orkl.eu/956309a9915f74f31fc086973764c850cfd106c5.jpg"
	}
}