Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 13:52
Static task
static1
Behavioral task
behavioral1
Sample
wannacry-sample.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
wannacry-sample.exe
Resource
win10v2004-20240508-en
General
-
Target
wannacry-sample.exe
-
Size
3.6MB
-
MD5
d724d8cc6420f06e8a48752f0da11c66
-
SHA1
3b669778698972c402f7c149fc844d0ddb3a00e8
-
SHA256
07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
-
SHA512
d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9
-
SSDEEP
98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:Z8qPe1Cxcxk3ZAEUadzR8yc4HI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2465) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1100 tasksche.exe -
Drops file in Windows directory 1 IoCs
Processes:
wannacry-sample.exedescription ioc process File created C:\WINDOWS\tasksche.exe wannacry-sample.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
Taskmgr.exepid process 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Taskmgr.exedescription pid process Token: SeDebugPrivilege 3080 Taskmgr.exe Token: SeSystemProfilePrivilege 3080 Taskmgr.exe Token: SeCreateGlobalPrivilege 3080 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
Processes:
Taskmgr.exepid process 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe -
Suspicious use of SendNotifyMessage 46 IoCs
Processes:
Taskmgr.exepid process 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe 3080 Taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
launchtm.exedescription pid process target process PID 3188 wrote to memory of 3080 3188 launchtm.exe Taskmgr.exe PID 3188 wrote to memory of 3080 3188 launchtm.exe Taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe"C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe"1⤵
- Drops file in Windows directory
PID:2872 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:1100
-
C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exeC:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe -m security1⤵PID:1808
-
C:\Windows\system32\launchtm.exelaunchtm.exe /21⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe" /22⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7