The ThreatFox: WannaCryptor IOCs rule detects potential WannaCryptor malware activity by identifying known malicious indicators associated with this ransomware family. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage ransomware attacks before they encrypt critical assets.
IOC Summary
Malware Family: WannaCryptor Total IOCs: 3 IOC Types: sha1_hash, sha256_hash, md5_hash
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| md5_hash | 97d63f8a798d8195948ef4ea51909385 | payload | 2026-06-17 | 95% |
| sha256_hash | 08ccc97bfba93caf89566888a138d473a4699838f726c22c836495d6c9efd22e | payload | 2026-06-17 | 95% |
| sha1_hash | 6124dd12f985d3d3cab32f4a0c78b263153a6f52 | payload | 2026-06-17 | 95% |
// Hunt for files matching known malicious hashes
// Source: ThreatFox - WannaCryptor
let malicious_hashes = dynamic(["97d63f8a798d8195948ef4ea51909385", "08ccc97bfba93caf89566888a138d473a4699838f726c22c836495d6c9efd22e", "6124dd12f985d3d3cab32f4a0c78b263153a6f52"]);
DeviceFileEvents
| where SHA256 in (malicious_hashes) or SHA1 in (malicious_hashes) or MD5 in (malicious_hashes)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Job
Description: A legitimate scheduled backup job uses a script or tool that matches WannaCryptor IOCs (e.g., wannacrypt.exe or specific hashes).
Filter/Exclusion: Exclude processes associated with backup tools like VSSAdmin.exe, wbadmin.exe, or paths containing C:\Windows\System32\wbadmin or C:\Program Files\Microsoft Backup.
Scenario: Admin Task for Patch Management
Description: An admin task runs a script that temporarily uses a WannaCryptor IOC (e.g., a hash of a legitimate tool) during a patching process.
Filter/Exclusion: Exclude processes initiated by Task Scheduler with a description containing “patch” or “update”, or filter by user Administrators with a specific task name.
Scenario: Legitimate Antivirus Scan
Description: A security tool (e.g., Kaspersky, Bitdefender) performs a scan and temporarily matches WannaCryptor IOCs during signature analysis.
Filter/Exclusion: Exclude processes with names like kavsvc.exe, bdagent.exe, or paths containing C:\Program Files\Kaspersky or C:\Program Files\Bitdefender.
Scenario: Development Environment Testing
Description: A developer is testing a malware analysis tool that includes WannaCryptor IOCs as part of a sandbox environment.
Filter/Exclusion: Exclude processes running from a known sandbox path (e.g., C:\Windows\System32\sandbox) or with a user context of LocalService or NetworkService.
Scenario: Legacy Tool Decommissioning
Description: An old tool (e.g., msiexec.exe) is being decommissioned and its artifacts are still present in the system, triggering