Overview

overview

1

Static

static

1

WanaCry.bat

windows7-x64

1

WanaCry.bat

windows10-2004-x64

1

Analysis

  • max time kernel
    20s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WanaCry.bat

  • Size

    1KB

  • MD5

    7ee25f21592d32a1e01e960eff61918a

  • SHA1

    880a9e1baad8a7f2ccf1b446cb798840d5b45c9e

  • SHA256

    59a13e7741b484acb88b61b982e8d064b96bc16eb8a5dc586e0541ef30bd4c1a

  • SHA512

    ec2158a34c6959c7f922fd845ca6c20fca9e0dff9c74a7bb3af01e658f87f3f8f43f44b852135fa423276e5b6a9451c8e95cbb7b4649f8da074f61170b78e076

Score
1/10

Malware Config

Signatures

  • Delays execution with timeout.exe 18 IoCs
    evasion
  • Enumerates processes with tasklist 1 TTPs 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WanaCry.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\system32\mode.com
      mode con: cols=80 lines=25
      2⤵
        PID:552
      • C:\Windows\system32\timeout.exe
        timeout 3
        2⤵
        • Delays execution with timeout.exe
        PID:1908
      • C:\Windows\system32\certutil.exe
        certutil -encode C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1708961151.txt C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1708961151.txt.tmp
        2⤵
          PID:2100
        • C:\Windows\system32\certutil.exe
          certutil -encode C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.tmp
          2⤵
            PID:1512
          • C:\Windows\system32\certutil.exe
            certutil -encode C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7107.txt C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7107.txt.tmp
            2⤵
              PID:3048
            • C:\Windows\system32\certutil.exe
              certutil -encode C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7121.txt C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI7121.txt.tmp
              2⤵
                PID:2876
              • C:\Windows\system32\certutil.exe
                certutil -encode C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7107.txt C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7107.txt.tmp
                2⤵
                  PID:3412
                • C:\Windows\system32\certutil.exe
                  certutil -encode C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7121.txt C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI7121.txt.tmp
                  2⤵
                    PID:4704
                  • C:\Windows\system32\timeout.exe
                    timeout 2
                    2⤵
                    • Delays execution with timeout.exe
                    PID:3448
                  • C:\Windows\system32\tasklist.exe
                    tasklist
                    2⤵
                    • Enumerates processes with tasklist
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4992
                  • C:\Windows\system32\find.exe
                    find "cmd.exe"
                    2⤵
                      PID:3688
                    • C:\Windows\system32\timeout.exe
                      timeout 1
                      2⤵
                      • Delays execution with timeout.exe
                      PID:4276
                    • C:\Windows\system32\tasklist.exe
                      tasklist
                      2⤵
                      • Enumerates processes with tasklist
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2280
                    • C:\Windows\system32\find.exe
                      find "cmd.exe"
                      2⤵
                        PID:3272
                      • C:\Windows\system32\timeout.exe
                        timeout 1
                        2⤵
                        • Delays execution with timeout.exe
                        PID:3352
                      • C:\Windows\system32\tasklist.exe
                        tasklist
                        2⤵
                        • Enumerates processes with tasklist
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1676
                      • C:\Windows\system32\find.exe
                        find "cmd.exe"
                        2⤵
                          PID:2744
                        • C:\Windows\system32\timeout.exe
                          timeout 1
                          2⤵
                          • Delays execution with timeout.exe
                          PID:4896
                        • C:\Windows\system32\tasklist.exe
                          tasklist
                          2⤵
                          • Enumerates processes with tasklist
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3340
                        • C:\Windows\system32\find.exe
                          find "cmd.exe"
                          2⤵
                            PID:1856
                          • C:\Windows\system32\timeout.exe
                            timeout 1
                            2⤵
                            • Delays execution with timeout.exe
                            PID:3284
                          • C:\Windows\system32\tasklist.exe
                            tasklist
                            2⤵
                            • Enumerates processes with tasklist
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4860
                          • C:\Windows\system32\find.exe
                            find "cmd.exe"
                            2⤵
                              PID:2724
                            • C:\Windows\system32\timeout.exe
                              timeout 1
                              2⤵
                              • Delays execution with timeout.exe
                              PID:4540
                            • C:\Windows\system32\tasklist.exe
                              tasklist
                              2⤵
                              • Enumerates processes with tasklist
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5096
                            • C:\Windows\system32\find.exe
                              find "cmd.exe"
                              2⤵
                                PID:1508
                              • C:\Windows\system32\timeout.exe
                                timeout 1
                                2⤵
                                • Delays execution with timeout.exe
                                PID:2788
                              • C:\Windows\system32\tasklist.exe
                                tasklist
                                2⤵
                                • Enumerates processes with tasklist
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3728
                              • C:\Windows\system32\find.exe
                                find "cmd.exe"
                                2⤵
                                  PID:3512
                                • C:\Windows\system32\timeout.exe
                                  timeout 1
                                  2⤵
                                  • Delays execution with timeout.exe
                                  PID:4488
                                • C:\Windows\system32\tasklist.exe
                                  tasklist
                                  2⤵
                                  • Enumerates processes with tasklist
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1728
                                • C:\Windows\system32\find.exe
                                  find "cmd.exe"
                                  2⤵
                                    PID:2956
                                  • C:\Windows\system32\timeout.exe
                                    timeout 1
                                    2⤵
                                    • Delays execution with timeout.exe
                                    PID:2288
                                  • C:\Windows\system32\tasklist.exe
                                    tasklist
                                    2⤵
                                    • Enumerates processes with tasklist
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4824
                                  • C:\Windows\system32\find.exe
                                    find "cmd.exe"
                                    2⤵
                                      PID:5016
                                    • C:\Windows\system32\timeout.exe
                                      timeout 1
                                      2⤵
                                      • Delays execution with timeout.exe
                                      PID:3180
                                    • C:\Windows\system32\tasklist.exe
                                      tasklist
                                      2⤵
                                      • Enumerates processes with tasklist
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:544
                                    • C:\Windows\system32\find.exe
                                      find "cmd.exe"
                                      2⤵
                                        PID:560
                                      • C:\Windows\system32\timeout.exe
                                        timeout 1
                                        2⤵
                                        • Delays execution with timeout.exe
                                        PID:2412
                                      • C:\Windows\system32\tasklist.exe
                                        tasklist
                                        2⤵
                                        • Enumerates processes with tasklist
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4388
                                      • C:\Windows\system32\find.exe
                                        find "cmd.exe"
                                        2⤵
                                          PID:4804
                                        • C:\Windows\system32\timeout.exe
                                          timeout 1
                                          2⤵
                                          • Delays execution with timeout.exe
                                          PID:3356
                                        • C:\Windows\system32\tasklist.exe
                                          tasklist
                                          2⤵
                                          • Enumerates processes with tasklist
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4152
                                        • C:\Windows\system32\find.exe
                                          find "cmd.exe"
                                          2⤵
                                            PID:4300
                                          • C:\Windows\system32\timeout.exe
                                            timeout 1
                                            2⤵
                                            • Delays execution with timeout.exe
                                            PID:3840
                                          • C:\Windows\system32\tasklist.exe
                                            tasklist
                                            2⤵
                                            • Enumerates processes with tasklist
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1208
                                          • C:\Windows\system32\find.exe
                                            find "cmd.exe"
                                            2⤵
                                              PID:3988
                                            • C:\Windows\system32\timeout.exe
                                              timeout 1
                                              2⤵
                                              • Delays execution with timeout.exe
                                              PID:536
                                            • C:\Windows\system32\tasklist.exe
                                              tasklist
                                              2⤵
                                              • Enumerates processes with tasklist
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3516
                                            • C:\Windows\system32\find.exe
                                              find "cmd.exe"
                                              2⤵
                                                PID:4260
                                              • C:\Windows\system32\timeout.exe
                                                timeout 1
                                                2⤵
                                                • Delays execution with timeout.exe
                                                PID:3456
                                              • C:\Windows\system32\tasklist.exe
                                                tasklist
                                                2⤵
                                                • Enumerates processes with tasklist
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3336
                                              • C:\Windows\system32\find.exe
                                                find "cmd.exe"
                                                2⤵
                                                  PID:3224
                                                • C:\Windows\system32\timeout.exe
                                                  timeout 1
                                                  2⤵
                                                  • Delays execution with timeout.exe
                                                  PID:1248
                                                • C:\Windows\system32\tasklist.exe
                                                  tasklist
                                                  2⤵
                                                  • Enumerates processes with tasklist
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4576
                                                • C:\Windows\system32\find.exe
                                                  find "cmd.exe"
                                                  2⤵
                                                    PID:1404
                                                  • C:\Windows\system32\timeout.exe
                                                    timeout 1
                                                    2⤵
                                                    • Delays execution with timeout.exe
                                                    PID:2704

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads