Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-03-2024 09:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe
-
Size
3.6MB
-
MD5
085a2eda5f509d08ae709fd1540e6e35
-
SHA1
3bf2d6cc073025692645bafbd388492cd90b090f
-
SHA256
7ff10853a16615a26f5912519335682df0e527cd220319a6dba15f1fa805679f
-
SHA512
a1d5bd0e55bec90d09a816798689693197f65cb7443e3209fff163835291a28bbd946e9de5eae4e1e53cafb2b0a6fbb04b6c347938e8a0a3c97e6c2b0fe095be
-
SSDEEP
12288:GvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPUi:2bLgddQhfdmMSirYbcS
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3350) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1228 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exedescription ioc process File created C:\WINDOWS\tasksche.exe 2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe"1⤵
- Drops file in Windows directory
PID:440 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:1228
-
C:\Users\Admin\AppData\Local\Temp\2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-03-11_085a2eda5f509d08ae709fd1540e6e35_wannacry.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD56552c6e51e566e3f3d50b1b0404d33eb
SHA1352bd30c4c901771b5fb5812f74fd515d9857953
SHA2562176b5d60ba1c7d03d8738a014a552c4f47c94ba11a4ed2ab79c3bda3c2f57ec
SHA5123ddcd1f3f888f53cf196b718119272fcfb5a13c87138d8bce548ca37a7ca9289ef0b99c0d36cc085278638633fa90c0056241b250c9c4cd002e110a4d065e9f4