Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
Resource
win7-20231215-en
General
-
Target
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe
-
Size
5.0MB
-
MD5
75c428c607b56602db8b95d9dbc07292
-
SHA1
2ba839a0f0994bf5c2f1a70fe1049e34809041b8
-
SHA256
200ebd86175e76e073681a8f19eb75587bd55ede404fea81adeacf8f5aaf6418
-
SHA512
e52d711db13a01d480e601e371c590b29805e4c8065a7a374fc911b06659bb41ba7eaffce6b700353839a622d8bb0733f0996c62dfcdc57171404661466bb4ed
-
SSDEEP
98304:Z8cPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:Z8cPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3170) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 5084 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exedescription ioc process File created C:\WINDOWS\tasksche.exe 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5104 5084 WerFault.exe tasksche.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exedescription pid process target process PID 3308 wrote to memory of 5084 3308 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe tasksche.exe PID 3308 wrote to memory of 5084 3308 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe tasksche.exe PID 3308 wrote to memory of 5084 3308 2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe tasksche.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:5084 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 2203⤵
- Program crash
PID:5104
-
C:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-01-25_75c428c607b56602db8b95d9dbc07292_wannacry.exe -m security1⤵PID:3908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5084 -ip 50841⤵PID:3256
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\tasksche.exeFilesize
576KB
MD5fb9c385ca5968070264bb75acef468ca
SHA157157f7d2acf7a56fe34f6c65437cf64f08405c4
SHA256c62672bf0c2b4bceac25d08839901b9d4aa34bc60e3f8ce3882e95c1de9f6d3e
SHA51262fcd3c0c17e9f0e05a2a16be22a036f4cb010b4f493254106a32741ddb33f5cdc15557f041d9c19bbaa93851d0063bee8eddc5c769997734eb953cec1f10850
-
C:\Windows\tasksche.exeFilesize
717KB
MD50c9444e3ab4691a5f012b4111577967f
SHA15d650e6ce0b8b5fb0b5494a531c1d02c599c3098
SHA25694d76611c9be7b5e7c6db2f183d8effeee288a043ed1210b299f9cafe74e71ea
SHA51293e41d9a6f30a35630d42ee08fd5e3ea94c7136d819a87b97191964186c3334e21900e240690075f1fba723f534e16013bcd300364fe7c8ce334083664c4372e