It drops the following file(s) on the system:

• "C:\Documents and Settings\Default User\Start Menu\Programs\Startup\SDEF.tmp"
• "C:\WINDOWS\Temp\!WannaDecryptor!.exe"
• "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SDCE.tmp"
• "C:\WINDOWS\Temp\112881393834640_.bat"
• "C:\Documents and Settings\Admin\Start Menu\Programs\Startup\SD8D.tmp"

• "C:\WINDOWS\system32\wbem\Logs\WMIC.LOG"

It creates the following mutex(es):

• ZonesCacheCounterMutex"
• MSCTF.Shared.MUTEX.ACD"
• ZonesLockedCacheCounterMutex"
• c:!documents and settings!admin!local settings!history!history.ie5!"
• WINDOWS_TASKOSHT_MUTEX0"
• CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
• CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003"
• CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
• c:!documents and settings!admin!local settings!temporary internet files!content.ie5!"
• ZoneAttributeCacheCounterMutex"
• SHIMLIB_LOG_MUTEX"
• WininetConnectionMutex"
• CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
• MSCTF.Shared.MUTEX.ICG"
• CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
• ZonesCounterMutex"
• CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003"
• c:!documents and settings!admin!cookies!"

• C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im Microsoft.Exchange. ]
• C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe ]
• C:\WINDOWS\Temp\b9b3965d1b218c63cd317ac33edcb942.exe [ \c:\windows\temp\b9b3965d1b218c63cd317ac33edcb942.exe ]
• C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im MSExchange ]
• C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe v ]
• C:\WINDOWS\system32\cmd.exe [ cmd.exe /c start /b !WannaDecryptor!.exe v ]
• C:\WINDOWS\system32\cmd.exe [ cmd.exe /c vssadmin delete shadows /all /quiet wmic shadowcopy delete bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no wbadmin delete catalog -quiet ]
• C:\WINDOWS\system32\wbem\wmic.exe [ wmic shadowcopy delete ]
• C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe c ]
• C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlserver.exe ]
• C:\WINDOWS\system32\cmd.exe [ cmd /c 112881393834640.bat ]
• C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlwriter.exe ]
• C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe f ]

We observed the following DNS query/queries:

• dist.torproject.org
• www.dropbox.com
• www.download.windowsupdate.com

• 127.xxxxxx:1031
• 127.xxxxxx:1037

UPDATE:

As of May 12th 2017 we have observed a new variant of the WannaCrypt Ransomware. It has been reported that version 2 of this ransomware has been deployed by its operators on a large international scale. It has wreaked havoc among UK's National Health Service by hitting at least 15 hospitals across the nation causing denial of access to vital patient information. Other attacks include Spanish telecommunications companies such as Vodafone and Telefonica.

The new version uses the following dialog:

At the time of writing, the network infrastructure for the Trojan had been severed and the timer does not work.

SonicWall covers multiple variants of this threat via the following signatures:

• GAV: WannaCrypt.RSM (Trojan)
• GAV: WannaCrypt.RSM_2 (Trojan)
• GAV: WannaCrypt.RSM_3 (Trojan)
• GAV: WannaCrypt.RSM_4 (Trojan)
• GAV: WannaCrypt.RSM_5 (Trojan)
• GAV: WannaCrypt.RSM_6 (Trojan)
• GAV: WannaCrypt.RSM_7 (Trojan)
• GAV: WannaCrypt.RSM_8 (Trojan)
• GAV: WannaCrypt.RSM.ar1 (Trojan)
• GAV: WannaCrypt.RSM.ar2 (Trojan)
• GAV: WannaCrypt.RSM.ar3 (Trojan)
• GAV: WannaCrypt.RSM.ar4 (Trojan)
• GAV: WannaCrypt.RSM.ar5 (Trojan)
• GAV: WannaCrypt.RSM.ar6 (Trojan)
• GAV: WannaCrypt.RSM.ar7 (Trojan)
• GAV: WannaCrypt.RSM.7z1 (Trojan)
• GAV: WannaCrypt.RSM.7z2 (Trojan)
• GAV: WannaCrypt.RSM.7z3 (Trojan)
• GAV: HydraCrypt.C (Trojan)
• GAV: HydraCrypt.C_2 (Trojan)