Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 08:24
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe
-
Size
5.0MB
-
MD5
7608b7375801031c8dfc7f8dc694dd70
-
SHA1
6ceef47328d54e966a7d3503f76c5746235a65ce
-
SHA256
5316baecafb6a41da7d169b66629675bfac0bbb0cbbf781adf87547c68dd0975
-
SHA512
3c75cb6ba84de6b01f6af5c36704ea290147e188a02fa985179af5bf8cb6637f36f21967954f92d6c6d03568a78e515f1c0571aa9ea5bfc3ec5f5be47e042f3f
-
SSDEEP
49152:VnAQqMSPbcBVQej/1INRx+TSqTdd1HkQo6S:ZDqPoBhz1aRxcSUZk36S
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3265) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 5060 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exedescription ioc process File created C:\WINDOWS\tasksche.exe 2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe"1⤵
- Drops file in Windows directory
PID:1780 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:5060
-
C:\Users\Admin\AppData\Local\Temp\2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-03-25_7608b7375801031c8dfc7f8dc694dd70_wannacry.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5936ac6dc8ead0decc586651882460294
SHA178f74f1aa4b72e805169c4ed3549077826c2f2ed
SHA256c41320b0761da87c4ab4452e763ba965e261bdebd6c7cdd43ea68885c16b624a
SHA5126d531a9ef1c18857db066d95a2be2009ec6a7ea7f8adeb136e31196f937b9e4ecd6a5df9ce95aa1fba7d3e430c2b4becf31bfa664b56ff70c54468e8d734a4c1