wannacry | 8052e7b4b67c2cafa041fdc3b7daa5684d1a85ad9b1b5ca1b7beba8631bac062

Resubmissions

14-03-2024 09:59

240314-lz664aha7z 10

14-03-2024 09:56

240314-lytjlsha4t 10

14-03-2024 09:35

240314-lkbrmsba53 10

Analysis

max time kernel
19s
max time network
21s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
14-03-2024 09:59

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe
Size

3.6MB
MD5

fb1c4d59adaf64a044dba323ea8fe6f0
SHA1

42ae1eabe02cf20ce21b32dc0f0f3a90206887a6
SHA256

8052e7b4b67c2cafa041fdc3b7daa5684d1a85ad9b1b5ca1b7beba8631bac062
SHA512

1d76ee4218592249536a09ee1b76b91939905e32d0ad0a53c7b92fb11b3d02e642a1c9ed484bffc123cf7f2501f1d780d1b2b7bb2a2404120efaa27c6c325f35
SSDEEP

98304:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:yDqPe1Cxcxk3ZAEUadzR8yc4HI

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2052 tasksche.exe
Drops file in Windows directory 1 IoCs

Processes:

2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe

pid	process
2052	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

LogonUI.exe2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "18"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1424 LogonUI.exe

pid	process
1424	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe"
1⤵
- Drops file in Windows directory
PID:1496

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2052

C:\Users\Admin\AppData\Local\Temp\2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-03-14_fb1c4d59adaf64a044dba323ea8fe6f0_wannacry.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:4764

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
2.3MB

MD5
69e155e2eadedfc8ca088d4c3c6e4f89

SHA1
3b6642fa2c112ac4cda0c83866962fb75dd1995b

SHA256
28533cb6d4e9bd6047ac90b8f30cb1d5b08d0fc2683f286f2a26330eb2a6e297

SHA512
58b53516bd3b0a2f16bf20bc34e422db79365b24e9f332850689694148b04e954877b73793642939e14a679f10328e0b2c0cd89ae84e309766ddeec293f7fd38

Download Submit