wannacry | 200ebd86175e76e073681a8f19eb75587bd55ede404fea81adeacf8f5aaf6418

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
Size

5.0MB
MD5

75c428c607b56602db8b95d9dbc07292
SHA1

2ba839a0f0994bf5c2f1a70fe1049e34809041b8
SHA256

200ebd86175e76e073681a8f19eb75587bd55ede404fea81adeacf8f5aaf6418
SHA512

e52d711db13a01d480e601e371c590b29805e4c8065a7a374fc911b06659bb41ba7eaffce6b700353839a622d8bb0733f0996c62dfcdc57171404661466bb4ed
SSDEEP

98304:Z8cPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:Z8cPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3320) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2448 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2448	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe

description	pid	process	target process
PID 2188 wrote to memory of 2448	2188	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe	tasksche.exe
PID 2188 wrote to memory of 2448	2188	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe	tasksche.exe
PID 2188 wrote to memory of 2448	2188	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe	tasksche.exe
PID 2188 wrote to memory of 2448	2188	2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe	tasksche.exe

C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2188

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe
Filesize
783KB

MD5
d180814ef05ba1ed50f2afb24f0b9265

SHA1
996c1b5a7b18a83e26d8e4f7e708b073e2338526

SHA256
a17c18b2b85589dafad077e9dc868cd32c31c4b8ed5e978ec77ef180a8f9a17b

SHA512
98525a12a0e696752dcd46c58a12f72249aa38d061bd806835e3564ba8821bc4c13f863d6a1cbc8da9cab0aad417313ed98978f8fa8ad57132cf07b1d2344e7f

Download Submit
C:\Windows\tasksche.exe
Filesize
897KB

MD5
6b5138d71919cae4fc28f11316f71078

SHA1
0d4a000310634c7a1915b820ae8d22b5c5be7cd1

SHA256
e3070364d0dbcf290dd8ce7188db25e485eeccd764250f123fe2709735d470cb

SHA512
8ebd8b6151c1fbe60794106207d4e76b9807f3bac55342b9a5759734110effedcd04ed68a523c8465be54495208be982bf0ffa1d949e22fed16d637c1ab1b21c

Download Submit