Hello fellow defenders, I hope you are having a great day. In this article, I’m going to show you how you can make a cybersecurity home lab at home for free that would cover executing WannaCry Ransomware on a windows endpoint and performing Digital Forensics and Security Monitoring!

Main Idea of the lab: First step will involve setting up Elastic SIEM, configure Sysmon on our Windows 10 VM (Preffered with VirtualBox as the hypervisor),donwload the wannacry ransomware from GitHub (Yes there is a repository containing sample of different types of malware!) and execute it and perform threat hunting! Then comes the main part: Digital Forensics! We will be using Autopsy and Volatility for disk and memory forensics!

Static and Dynamic Analysis for WannaCry

In this lab, we will first perform static analysis by examining the WannaCry sample (SHA-256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa) without executing it, using tools like Hybrid Analysis to identify Indicators of Compromise (IoCs). This safe, initial assessment helps us craft KQL detection rules for Elastic SIEM, but it misses runtime behaviors like network activity or file encryption, which we need to observe in action.

Next, we conduct dynamic analysis by executing WannaCry in our isolated Windows 10 VM to observe real-time behaviors, such as file encryption and checks to the kill-switch domain (hxxp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com). This riskier step, performed after disabling internet and shared folders, validates our static IoCs and captures Sysmon logs for threat hunting in Elastic SIEM, providing a comprehensive view of WannaCry’s impact to refine our detection rules.

Set Up Elastic SIEM

1. Head to https://cloud.elastic.co/login and sign up for a 14-day free trial. Choose Elastic Cloud Serverless as the deployment type — it’s lightweight and perfect for this lab.
2. In the setup wizard, select Security as your use case. If asked, “How will you use Elastic for Security?” pick Something else — this keeps the setup flexible for our TTP simulation.
3. Verify you’re in a serverless project: After logging in, check the top-left corner of the Elastic Cloud dashboard. It should say “Serverless” under your project name. If not, click Create Project, select Serverless, and name it (e.g., “TTP-Lab”).
4. Add SIEM data: Navigate to Integrations > Elastic Defend > Add Elastic Defend. Set the integration name (e.g., “Windows-TTP-Defend”) and choose Complete EDR for full endpoint monitoring.
5. Install Elastic Agent: In Elastic Defend’s settings, click Add Agent, select Windows x86–64, and copy the provided PowerShell command. Open an elevated PowerShell (Run as Administrator) on your Windows VM and paste the command to install the agent. This sets up log collection from your VM.
6. Click Assests -> Agents

Press enter or click to view image in full size

7 . Click on Agent Policies -> click on the current policy that you have and then click on add integration.

Press enter or click to view image in full size

8 . Search for Windows and add the integration but make sure that the option for Symon monitoring is turned on!

Press enter or click to view image in full size

And you are done! Now you will be able to see Sysmon logs on your ELK SIEM.

Pro Tip: If the agent install fails, check your VM’s internet connection and ensure PowerShell is running as admin. You can verify the agent is running by checking Services (services.msc) for “Elastic Agent”.

Now let’s hop on to install Sysmon:

Sysmon is a System Monitoring tool that, unlike the classic Windows Event Logs, offers an analyst better visibility of processes launched, registry modifications, access to sensitive system files, network activity, etc., making it particularly useful for detecting suspicious activity.

Press enter or click to view image in full size

• Download Sysmon from Microsoft Sysinternals. Scroll to the bottom and download the zip file.
• Extract the zip to a folder on your VM (e.g., C:\Tools\Sysmon).
• Download a Sysmon config file from SwiftOnSecurity’s GitHub. This config is tested on real world scenarios, capturing key events like process creation, network connections, and registry mods while filtering noise.
• In an elevated PowerShell, navigate to the Sysmon folder (e.g., cd C:\Tools\Sysmon) and run:

.\sysmon64.exe -accepteula -i ./path/to/your/config-file/sysmonconfig-export.xml

Why this particular config? SwiftOnSecurity’s XML is optimized for threat detection, capturing critical events like process injections and suspicious network activity without flooding your logs. If you want to tweak it, check the XML’s <EventFiltering> section to adjust what Sysmon logs (e.g., add <FileCreate> for file creation events).

Here is the screenshot of what the file looks like:

Press enter or click to view image in full size

After this is done, go to your Elastic Security dashboard and head over to the Discover tab, and click on “*logs”. This is called an index, and you can assume it as a table that stores all different types of logs.

Taking a snapshot of our VM

Taking a snapshot is super important step as it will bring our VM back to its original state as it was before after the execution following the NIST SP 800–61 for IR (Incident Response process). To take one, click the Take button:

Let’s download the ransomware from this GitHub repository: https://github.com/ytisf/theZoo

Downloading the Autopsy and Volatility:

Note: Install these two tools on your host system (your main OS — for example, if your main OS is Windows 11 and you’re running a Windows 10 VM inside it, then install the tools on Windows 11).

Download Autopsy from this link: https://www.autopsy.com/download/.

Follow the steps to install Volatility for Memory Analysis:

1. Download the latest version of Python from this website: https://www.python.org/downloads/
2. Download this wheel package for latest version of volatility (Volatility is build using Python, that being the reason I told to download the latest version of Python first!): https://github.com/volatilityfoundation/volatility3/releases/download/v2.26.0/volatility3-2.26.0-py3-none-any.whl
3. Now install volatility 3 using pip by executing the following command:
   pip install path\\to\\volatility3-2.7.0-py3-none-any.whl

4. Now verify the installation by typing the following command:

vol -h

If you are able to see the following, that means you have successfuly installed volatility!

Time to write custom detection rules to detect the Wannacry Ransomware

We can use Open source intelligence to grab more information on what process are created upon the execution of the ransomware. This can be done by taking the hash of the sample and checking it with Websites like Hybrid Analysis or Any.run. We already have the SHA-256 hash of the sample as it is posted on the GitHub repository of theZoo.

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Now let’s paste this into Hybrid Analysis to see a bigger picture of what can happen. The process of analysing a malware sample like this is often known as Static Analysis.

Static analysis involves examining the file without running it, such as inspecting the binary’s structure, strings, or imports. Hybrid Analysis does offer static analysis, but it also includes dynamic analysis (behavior when executed in a sandbox). For pure static analysis, consider tools like PEStudio or strings extraction to complement Hybrid Analysis data.

Identifying processes created (e.g., taskdl.exe, taskse.exe, @[email protected]) is a key IoC (Indicator of Compromise). Hybrid Analysis reports for this hash show multiple spawned processes (e.g., cmd.exe, cscript.exe, attrib.exe), which are valuable for detection rules, but we also need to cross-check these against known legitimate processes to avoid false positives.

Go to rules and then click Detection Rules to get started:

Click Create new rule:

Select custom query as your option and write the following KQL query:

((process.name: "attrib.exe" and (process.command_line: "attrib +h .*" OR process.command_line: "attrib +h +s .*")) OR
(process.name: "icacls.exe" and process.command_line: "icacls .* /grant Everyone:F.*") OR
process.name: "taskdl.exe" OR
(process.name: "cmd.exe" and process.command_line: ".*88831743893367.bat.*") OR
(process.name: "cscript.exe" and process.command_line: ".*m.vbs.*") OR
process.name: "WannaCry.exe.sample.exe")
OR
(file.path:"C:\\88831743893367.bat
" OR
file.path:"C:\\@[email protected]
" OR
file.path:"C:\\@[email protected]
" OR
file.path:"C:\\f.wnry
" OR
file.path:"C:\\m.vbs
" OR 
file.path:"C:\\msg\\m_*.wnry
")

Then click continue and fill out the following information for: about rule and schedule rule

I have given the alert severity as critical and a risk score of 100 to this rule. The schedule rule runs every 1 minute and checks for alerts based on the custom query that we created above.

Now for the next step click Elastic Defend under rule actions and response action as isolate. Click on create and enable rule:

Skip the part below if you are not comfortable doing it

Executing the Ransomware

Before executing the ransomware there are some points to keep in mind:

1. Turn Off the internet connection on your VM
2. Disable shared folder access so that the infection doesn’t spread to your host OS

Disable Windows Defender Temporarily

Open PowerShell or Command Prompt as Administrator and then turn off real-time protection with powershell:

Set-MpPreference -DisableRealtimeMonitoring $true

The above command disables Windows Defender’s real-time protection

Now open Windows Security > Virus & Threat Protection > Manage Settings. Turn off all the virus and threat protection settings for an efficient dynamic analysis.

Let’s execute the ransomware now!

Double click the executable file in theZoo folder. Give it sometime and you should see the following screen. If you notice carefully then there are some files with the extension “.WNCRY”. This means that the VM has been infected by WannaCry Ransomware.

If you try to open the regular text files on your desktop (If you created them for testing, a.k.a that they are visible on your ELK SIEM or not) you would see something like this indicating that the files are encrypted:

Transferring the logs back to your ELK SIEM:

After the execution turn on the NAT mode in your network settings on your vm with your cable connection option turned on:

This will make sure that the logs are forwared to your SIEM by your fleet agent.

A second option can be to turn on the internet while executing the ransomware while making sure that the network settings are in NAT mode with cable connected. This will make sure that the logs are properly transferred to your SIEM while the attack is happening in real time. This is too risky and to avoid chances of infection on your host machine add a rule to your firewall settings that blocks outbound SMB connections on port 445 and 139.

Now the logs should have been forwared to your SIEM. Enter a KQL query for a known malicious process that you know is spawned by running the WannaCry ransomware. Here is my sample KQL query:

process.name:"attrib.exe"

We can also see our detection rules that got hit under the index security solution alerts and got 20 alerts on our dashboard:

This should confirm that the logs are ingested in your SIEM (Just make sure to filter the time when the event happened)!

Let’s start hunting threats!

Threat hunting approach uses threat intelligence as its starting point with a general understanding of system baselining. For this case we will be using two most used Threat Intelligence sources that analysts use in their day to day work: MITRE ATT&CK and Cyber Kill Chain Framework (You can definitely use any other advanced level framework for this but in this article, I will be using CKC!).

Let’s start mapping whatever information we have now with CKC. Here is what the framework actually looks like:

The model identifies what the adversaries must complete in order to achieve their objective.

Reconnaissance: WannaCry specifically looks for SMB version 1 vulnerability within the windows OS. If the condition matches with those set in the malware then it starts exploting the Eternal Blue Vulnerability. References: https://helpdesk.kaseya.com/hc/en-gb/articles/4407526903953-CVE-2017-0143-Windows-SMB-RCE-Vulnerability-WannaCry. Mapped to vulnerability Scanning TTP ID: T1595.002, MITRE ATT&CK Link: https://attack.mitre.org/techniques/T1595/002/

Weaponization: DoublePulsar being the backdoor installed on the compromised computers by the ransomware. DoublePulsar attack works by silently installing a dangerous backdoor implant on your PC, which attackers can use to bypass your PC's security and access your system without detection. After gaining access to your system, the attacker can plant malware, or steal your personal data. This means you are vulnerable to further malware attacks, including "WannaCry" ransomware. Reference: https://support.avast.com/en-ca/article/eternalblue-vulnerability/#pc. So we can now try to map down the information to MITRE ATT&CK. Technique ID: T1055. Reference: https://attack.mitre.org/techniques/T1055/

Exploitation: As we know the ransomware exploits known vulnerability and the targets were mostly public facing applications. So we can map MITRE ATT&CK technique ID is T1190. Reference to the Technique on Mitre: https://attack.mitre.org/techniques/T1190/.

Delivery: As per we know that WannaCry exploits SMB servers and moves latterly accross the network to exploit other devices. Delivery phase of CKC doesn’t properly map in our case, due to the reason that we self download the binary from the github repository.

Installation: We can definetly confirm this by just observing the desktop after execution. Running the executable installs malware which encrypts all files on the users system. After installation it does the following:

WannaCry installs itself as a Windows service, so it starts automatically after reboots. T1543.003 — Create or Modify System Process: Windows Service

Once registered, WannaCry runs using the Windows Service Control Manager (services.exe). T1569.002 — System Services: Service Execution

The service name looks legitimate or random to avoid suspicion (e.g., hiding under system-like names). T1036 — Masquerading

The final payload encrypts files and demands ransom. T1486 — Data Encrypted for Impact.

Commad and Control (C2): If we will do a little bit of research we can find out that WannaCry makes no C2 connection other than the kill switch domain: hxxp[://]www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com.

Actions On Objectives: After the attack has generated and stored the encryption keys, they use it to encrypt all types of files excpet the system critical files like .exe, .dll, .sys. The reason is if the ransomware encrypt these files the machine can become ubootable and they wont be able to receive the ransom!

A structured threat hunting approach requires us to make a hypothesis before performing starting to hunt for actual threats. In our scenario, an enpoint gets infected by ransomware. Most of the ransomware establish persistence to maintain access even after reboot, encrypts local and network files targeting specific extensions, drops ransom note(s) with payment instructions and may delete shadow copies, logs, or backups to prevent recovery.

Let’s go step by step:

1. Looking for malware persistance: it mostly involves changing the registry keys (Sysmon id 13):

As we can see that the process tasksche.exe masquerades windows tash scheduler, i.e., a malicious process and gets mapped to T1036 and T1112 on MITRE ATT&CK. KQL Query: event.code: 13

2. Encrypts local and network files:

Here we can look for Sysmon event id 11 for file creation events and look for files with the extension of “WNCRYT”. KQL Query: event.code:11 and (file.path:*\\*.WNCRYT or file.name:*.WNCRYT) and event.dataset:”windows.sysmon_operational”. MITRE ATT&CK technique: T1486 — Data Encrypted for Impact.

3. Dropping ransom note(s) with payment instructions:

Here we can look for Sysmon Event ID 11 again and for files ending with “.txt” as Ransomware won’t encrypt the text files which it created for demanding ransom from the victim. KQL Query: event.code:11 and file.name:*.txt

4. Shadow copy deletion:

Here we can use Sysmon Event ID 1 to check if any new processes are created or not. KQL query to find Shadow Copy Deletion: event.code:”1" and
process.name:”vssadmin.exe”

Interestingly, in this WannaCry execution, no shadow copies were deleted, confirming that this variant focuses on file encryption and propagation rather than system recovery destruction

Our task with the Windows VM is done now, so we can shut it down and revert it back to its original state before the attack using snapshot that we took before.

Click restore on the snapshot which you want to get to after the attack:

Cloning Virtual Hard Disk from our VM

Go to the main directory where your VirtualBox is installed. Then type the following command:

VBoxManage clonehd "C:\Path\Windows10.vdi" "C:\Path\Windows10.raw" --format RAW

The first location argument in the command is where your Windows 10 virtual disk is located. This path should be like: “C:\Users\your_username\VirtualBox VMs\Windows10\Snapshots\the_snapshot_which_is_infected_but_not_saved". The second path is the location where you want to save the raw disk to.

This command will copy the Virtual Hard Disk from your Windows VM byte-by-byte in RAW format. Make sure you have atleast 55–65 GB of space on your device for the raw virtual hard disk extracted from your Windows 10 VM!

Taking the memory dump of our VM for analysis

Go to the location where your VirtualBox is stored. Open terminal in that folder and type the following command:

 .\VBoxManage.exe debugvm "Your VM's Name" dumpvmcore --filename="Folder Location where you want to store the file to\VM_Name.raw"

Storage requirements for the memory dump can be around 5 GB. This will depend on how much tasks how you performed on your VM

Autopsy Analysis

Open autopsy in administrator mode and hit new case and fill the case information:

Enter a random case number and click next/finish

Now you will see a new window opened in autopsy

Click next and on the next option select the option for Disk Image / VM file and then add the location of your RAW disk file which we just created a while ago:

Add the location of your Virtual Machine disk into it and then click next. On the next screen, the fields that you want to analyse and are interested in. In our case, Recent Activity, Hash Lookup, Encryption Decryption and more!

After Autopsy processes the artifacts from the disk, we should see something like this:

Let’s click the File Size option and see what type of files did autposy found during forensics:

As we can see there are some files having an extension of .WNCRY, stating that the filesa are encrypted.

If we sort and see the images section we can observe the ransom image over there:

One more section that is worth noting is the Score section in Autopsy.

We can see that there are 970 Suspicious items stating that the disk image is 100% infected by a ransomware.

Let’s now find registry keys to look for evidence of potential persistance mechanisms and I found the “@[email protected]” executable:

Let’s look for NTUSER.DAT to see any signs for persistance:

A clear sign of scheduled task and persistance (MITRE ATT&CK T1112)

Memory Analysis using Volatility

Let’s look at the help menu and see what type of parameters are useful for anlysing the memory.

Let’s see the help menu for Volatility to see what type of operations we can perform

There are four plugins that are useful for finding malicious processes: windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree and windows.psxview.PsXView

Let’s use them one by one to see what information we can get from them:

1. vol -f win10_memdump_wannacry.raw windows.pslist

Two Unknown processes after initial memory analysis. If we search them on google then the following comes up:

We can clearly observe that the process is related to WannaCry ransomware. Process ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe with PID 11444 and process @WannaDecryptor with PID 10160

Plugin windows.psscan.PsScan:

No other malicious process was discovered.

Plugin windows.pstree.PsTree:

The output can’t be read properly on the terminal so, I piped the output to a CSV file by the following command:

 vol -f win10_memdump_wannacry.raw windows.pstree.PsTree > output.csv

We can see the location of some of the processes.

Conclusion

This hands-on lab walked you through building a cybersecurity homelab to analyze WannaCry ransomware, from setting up Elastic SIEM and Sysmon to performing static and dynamic analysis. By first using static analysis to identify IoCs like taskdl.exe and crafting KQL detection rules, then dynamically executing WannaCry to observe behaviors like .WNCRY file encryption, you’ve gained practical skills in threat hunting and DFIR. Tools like Autopsy and Volatility further revealed persistence mechanisms (e.g., MITRE ATT&CK T1112) and masqueraded processes, showing how attackers evade defenses. Apply these techniques to other malware samples, refine your detection rules, and keep exploring MITRE ATT&CK and Cyber Kill Chain to sharpen your cybersecurity expertise!