Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
-
Size
5.0MB
-
MD5
75c428c607b56602db8b95d9dbc07292
-
SHA1
2ba839a0f0994bf5c2f1a70fe1049e34809041b8
-
SHA256
200ebd86175e76e073681a8f19eb75587bd55ede404fea81adeacf8f5aaf6418
-
SHA512
e52d711db13a01d480e601e371c590b29805e4c8065a7a374fc911b06659bb41ba7eaffce6b700353839a622d8bb0733f0996c62dfcdc57171404661466bb4ed
-
SSDEEP
98304:Z8cPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:Z8cPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3320) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2448 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe -
Drops file in Windows directory 1 IoCs
Processes:
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exedescription ioc process File created C:\WINDOWS\tasksche.exe 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exedescription pid process target process PID 2188 wrote to memory of 2448 2188 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe tasksche.exe PID 2188 wrote to memory of 2448 2188 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe tasksche.exe PID 2188 wrote to memory of 2448 2188 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe tasksche.exe PID 2188 wrote to memory of 2448 2188 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe tasksche.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2448
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
783KB
MD5d180814ef05ba1ed50f2afb24f0b9265
SHA1996c1b5a7b18a83e26d8e4f7e708b073e2338526
SHA256a17c18b2b85589dafad077e9dc868cd32c31c4b8ed5e978ec77ef180a8f9a17b
SHA51298525a12a0e696752dcd46c58a12f72249aa38d061bd806835e3564ba8821bc4c13f863d6a1cbc8da9cab0aad417313ed98978f8fa8ad57132cf07b1d2344e7f
-
C:\Windows\tasksche.exeFilesize
897KB
MD56b5138d71919cae4fc28f11316f71078
SHA10d4a000310634c7a1915b820ae8d22b5c5be7cd1
SHA256e3070364d0dbcf290dd8ce7188db25e485eeccd764250f123fe2709735d470cb
SHA5128ebd8b6151c1fbe60794106207d4e76b9807f3bac55342b9a5759734110effedcd04ed68a523c8465be54495208be982bf0ffa1d949e22fed16d637c1ab1b21c