Analysis Overview
SHA256
07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
Threat Level: Known bad
The file wannacry-sample.exe was found to be: Known bad.
Malicious Activity Summary
Wannacry
Executes dropped EXE
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Modifies data under HKEY_USERS
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-20 14:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 14:06
Reported
2024-05-20 14:06
Platform
win7-20240221-en
Max time kernel
8s
Max time network
12s
Command Line
Signatures
Wannacry
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\tasksche.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\tasksche.exe | C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe
"C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe"
C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe
C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe -m security
C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
Network
| Country | Destination | Domain | Proto |
| US | 100.11.64.59:445 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.3.1:445 | tcp | |
| N/A | 10.127.2.1:445 | tcp | |
| N/A | 10.127.1.1:445 | tcp | |
| N/A | 10.127.5.1:445 | tcp | |
| N/A | 10.127.4.1:445 | tcp | |
| N/A | 10.127.8.1:445 | tcp | |
| N/A | 10.127.7.1:445 | tcp | |
| N/A | 10.127.9.1:445 | tcp | |
| N/A | 10.127.6.1:445 | tcp | |
| US | 74.171.134.33:445 | tcp | |
| N/A | 10.127.11.1:445 | tcp | |
| N/A | 10.127.10.1:445 | tcp | |
| N/A | 10.127.12.1:445 | tcp | |
| N/A | 10.127.13.1:445 | tcp | |
| N/A | 10.127.14.1:445 | tcp | |
| N/A | 10.127.15.1:445 | tcp | |
| N/A | 10.127.16.1:445 | tcp | |
| N/A | 10.127.17.1:445 | tcp | |
| N/A | 10.127.18.1:445 | tcp | |
| N/A | 10.127.19.1:445 | tcp | |
| N/A | 10.127.20.1:445 | tcp | |
| N/A | 10.127.21.1:445 | tcp | |
| KR | 121.158.118.199:445 | tcp | |
| ES | 213.164.168.238:445 | tcp | |
| N/A | 10.127.22.1:445 | tcp | |
| N/A | 10.127.23.1:445 | tcp | |
| N/A | 10.127.26.1:445 | tcp | |
| N/A | 10.127.25.1:445 | tcp | |
| N/A | 10.127.24.1:445 | tcp | |
| N/A | 10.127.28.1:445 | tcp | |
| N/A | 10.127.29.1:445 | tcp | |
| N/A | 10.127.27.1:445 | tcp | |
| CN | 120.40.79.249:445 | tcp | |
| N/A | 10.127.31.1:445 | tcp | |
| N/A | 10.127.30.1:445 | tcp | |
| NL | 151.175.93.119:445 | tcp | |
| N/A | 10.127.32.1:445 | tcp | |
| N/A | 10.127.33.1:445 | tcp | |
| N/A | 10.127.34.1:445 | tcp | |
| N/A | 10.127.35.1:445 | tcp | |
| N/A | 10.127.36.1:445 | tcp | |
| N/A | 10.127.37.1:445 | tcp | |
| N/A | 10.127.38.1:445 | tcp | |
| N/A | 10.127.39.1:445 | tcp | |
| N/A | 10.127.40.1:445 | tcp | |
| US | 50.252.65.183:445 | tcp | |
| IL | 84.94.242.241:445 | tcp | |
| N/A | 10.127.44.1:445 | tcp | |
| KR | 14.71.120.228:445 | tcp | |
| N/A | 10.127.43.1:445 | tcp | |
| N/A | 10.127.41.1:445 | tcp | |
| N/A | 10.127.42.1:445 | tcp | |
| N/A | 10.127.45.1:445 | tcp | |
| N/A | 10.127.48.1:445 | tcp | |
| ID | 202.154.29.80:445 | tcp | |
| N/A | 10.127.49.1:445 | tcp | |
| N/A | 10.127.47.1:445 | tcp | |
| N/A | 10.127.46.1:445 | tcp | |
| N/A | 10.127.54.1:445 | tcp | |
| N/A | 10.127.51.1:445 | tcp | |
| CA | 174.35.252.112:445 | tcp | |
| N/A | 10.127.53.1:445 | tcp | |
| N/A | 10.127.50.1:445 | tcp | |
| N/A | 10.127.52.1:445 | tcp | |
| N/A | 10.127.55.1:445 | tcp | |
| US | 153.90.19.172:445 | tcp | |
| N/A | 10.127.56.1:445 | tcp | |
| N/A | 10.127.57.1:445 | tcp | |
| N/A | 10.127.58.1:445 | tcp | |
| US | 6.103.63.2:445 | tcp | |
| CN | 39.179.56.167:445 | tcp | |
| N/A | 10.127.65.1:445 | tcp | |
| N/A | 10.127.60.1:445 | tcp | |
| N/A | 10.127.59.1:445 | tcp | |
| CN | 103.45.186.244:445 | tcp | |
| N/A | 10.127.62.1:445 | tcp | |
| FR | 92.151.57.16:445 | tcp | |
| N/A | 10.127.67.1:445 | tcp | |
| N/A | 10.127.66.1:445 | tcp | |
| N/A | 10.127.61.1:445 | tcp | |
| N/A | 10.127.63.1:445 | tcp | |
| N/A | 10.127.64.1:445 | tcp | |
| US | 32.46.190.7:445 | tcp | |
| N/A | 10.127.70.1:445 | tcp | |
| N/A | 10.127.68.1:445 | tcp | |
| N/A | 10.127.73.1:445 | tcp | |
| US | 45.20.95.195:445 | tcp | |
| N/A | 10.127.69.1:445 | tcp | |
| N/A | 10.127.71.1:445 | tcp | |
| N/A | 10.127.72.1:445 | tcp | |
| N/A | 10.127.74.1:445 | tcp | |
| N/A | 10.127.75.1:445 | tcp | |
| N/A | 10.127.76.1:445 | tcp | |
| N/A | 105.103.236.47:445 | tcp | |
| N/A | 10.127.77.1:445 | tcp | |
| N/A | 202.191.226.7:445 | tcp | |
| N/A | 10.127.78.1:445 | tcp |
Files
C:\Windows\tasksche.exe
| MD5 | 7f7ccaa16fb15eb1c7399d422f8363e8 |
| SHA1 | bd44d0ab543bf814d93b719c24e90d8dd7111234 |
| SHA256 | 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd |
| SHA512 | 83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 14:06
Reported
2024-05-20 14:07
Platform
win10v2004-20240426-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Wannacry
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\WINDOWS\tasksche.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\tasksche.exe | C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe
"C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe"
C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe
C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe -m security
C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
Network
| Country | Destination | Domain | Proto |
| CN | 183.207.144.216:445 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.2.1:445 | tcp | |
| N/A | 10.127.6.1:445 | tcp | |
| N/A | 10.127.1.1:445 | tcp | |
| N/A | 10.127.3.1:445 | tcp | |
| N/A | 10.127.4.1:445 | tcp | |
| N/A | 10.127.5.1:445 | tcp | |
| N/A | 10.127.7.1:445 | tcp | |
| N/A | 10.127.8.1:445 | tcp | |
| N/A | 10.127.9.1:445 | tcp | |
| N/A | 10.127.10.1:445 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| N/A | 10.127.11.1:445 | tcp | |
| JP | 59.190.129.177:445 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| N/A | 10.127.12.1:445 | tcp | |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| N/A | 10.127.13.1:445 | tcp | |
| N/A | 10.127.14.1:445 | tcp | |
| CN | 223.117.226.40:445 | tcp | |
| N/A | 10.127.15.1:445 | tcp | |
| US | 72.180.228.31:445 | tcp | |
| N/A | 10.127.16.1:445 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| N/A | 10.127.21.1:445 | tcp | |
| N/A | 10.127.20.1:445 | tcp | |
| N/A | 10.127.17.1:445 | tcp | |
| N/A | 10.127.19.1:445 | tcp | |
| N/A | 10.127.27.1:445 | tcp | |
| N/A | 10.127.24.1:445 | tcp | |
| N/A | 10.127.25.1:445 | tcp | |
| N/A | 10.127.18.1:445 | tcp | |
| N/A | 10.127.22.1:445 | tcp | |
| N/A | 10.127.23.1:445 | tcp | |
| N/A | 10.127.26.1:445 | tcp | |
| N/A | 10.127.28.1:445 | tcp | |
| N/A | 10.127.29.1:445 | tcp | |
| N/A | 10.127.30.1:445 | tcp | |
| N/A | 10.127.31.1:445 | tcp | |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| N/A | 10.127.32.1:445 | tcp | |
| N/A | 10.127.33.1:445 | tcp | |
| JP | 58.3.212.183:445 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DK | 93.165.140.162:445 | tcp | |
| N/A | 10.127.36.1:445 | tcp | |
| N/A | 10.127.35.1:445 | tcp | |
| N/A | 10.127.37.1:445 | tcp | |
| N/A | 10.127.34.1:445 | tcp | |
| N/A | 10.127.38.1:445 | tcp | |
| KR | 27.119.202.45:445 | tcp | |
| N/A | 10.127.40.1:445 | tcp | |
| N/A | 10.127.43.1:445 | tcp | |
| N/A | 10.127.39.1:445 | tcp | |
| GB | 86.190.33.162:445 | tcp | |
| N/A | 10.127.44.1:445 | tcp | |
| N/A | 10.127.42.1:445 | tcp | |
| N/A | 10.127.45.1:445 | tcp | |
| US | 207.199.58.92:445 | tcp | |
| N/A | 10.127.41.1:445 | tcp | |
| N/A | 10.127.47.1:445 | tcp | |
| N/A | 10.127.46.1:445 | tcp | |
| N/A | 10.127.48.1:445 | tcp | |
| N/A | 10.127.49.1:445 | tcp | |
| N/A | 10.127.50.1:445 | tcp | |
| N/A | 10.127.51.1:445 | tcp | |
| N/A | 10.127.52.1:445 | tcp | |
| N/A | 10.127.53.1:445 | tcp | |
| N/A | 10.127.54.1:445 | tcp | |
| JP | 42.127.177.121:445 | tcp | |
| IS | 193.4.58.85:445 | tcp | |
| PH | 136.158.133.37:445 | tcp | |
| N/A | 10.127.55.1:445 | tcp | |
| N/A | 10.127.56.1:445 | tcp | |
| N/A | 10.127.57.1:445 | tcp | |
| N/A | 10.127.64.1:445 | tcp | |
| CN | 218.241.138.73:445 | tcp | |
| N/A | 10.127.58.1:445 | tcp | |
| IN | 103.39.5.60:445 | tcp | |
| N/A | 10.127.59.1:445 | tcp | |
| N/A | 10.127.61.1:445 | tcp | |
| N/A | 10.127.62.1:445 | tcp | |
| N/A | 10.127.67.1:445 | tcp | |
| N/A | 10.127.60.1:445 | tcp | |
| GB | 90.197.165.26:445 | tcp | |
| N/A | 10.127.63.1:445 | tcp | |
| N/A | 10.127.65.1:445 | tcp | |
| N/A | 10.127.66.1:445 | tcp | |
| US | 17.223.47.252:445 | tcp | |
| N/A | 10.127.68.1:445 | tcp | |
| N/A | 10.127.69.1:445 | tcp | |
| N/A | 10.127.70.1:445 | tcp | |
| N/A | 10.127.71.1:445 | tcp | |
| N/A | 10.127.72.1:445 | tcp | |
| N/A | 10.127.73.1:445 | tcp | |
| N/A | 10.127.74.1:445 | tcp | |
| N/A | 10.127.75.1:445 | tcp | |
| DE | 79.127.211.129:445 | tcp | |
| JP | 59.166.214.211:445 | tcp | |
| N/A | 10.127.76.1:445 | tcp | |
| DE | 20.79.134.36:445 | tcp | |
| N/A | 10.127.77.1:445 | tcp | |
| BR | 152.252.221.16:445 | tcp | |
| N/A | 10.127.78.1:445 | tcp | |
| N/A | 10.127.80.1:445 | tcp | |
| US | 30.0.189.173:445 | tcp | |
| N/A | 10.127.79.1:445 | tcp | |
| US | 29.163.191.185:445 | tcp | |
| N/A | 10.127.81.1:445 | tcp | |
| US | 173.124.102.212:445 | tcp | |
| N/A | 10.127.89.1:445 | tcp | |
| N/A | 10.127.88.1:445 | tcp | |
| US | 174.18.161.80:445 | tcp | |
| N/A | 10.127.82.1:445 | tcp | |
| N/A | 10.127.83.1:445 | tcp | |
| N/A | 10.127.84.1:445 | tcp | |
| N/A | 10.127.85.1:445 | tcp | |
| N/A | 10.127.86.1:445 | tcp | |
| N/A | 10.127.87.1:445 | tcp | |
| N/A | 10.127.90.1:445 | tcp | |
| N/A | 10.127.91.1:445 | tcp | |
| N/A | 10.127.92.1:445 | tcp | |
| IN | 182.58.129.147:445 | tcp | |
| N/A | 10.127.93.1:445 | tcp | |
| N/A | 10.127.94.1:445 | tcp | |
| N/A | 10.127.95.1:445 | tcp | |
| CN | 14.212.163.187:445 | tcp | |
| US | 7.149.52.203:445 | tcp | |
| US | 173.168.93.47:445 | tcp | |
| N/A | 10.127.97.1:445 | tcp | |
| N/A | 10.127.96.1:445 | tcp | |
| N/A | 10.127.98.1:445 | tcp | |
| DE | 51.74.10.176:445 | tcp | |
| CN | 114.252.79.48:445 | tcp | |
| N/A | 10.127.99.1:445 | tcp | |
| BR | 177.137.199.141:445 | tcp | |
| N/A | 10.127.100.1:445 | tcp | |
| US | 66.168.171.54:445 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| N/A | 10.127.101.1:445 | tcp | |
| N/A | 10.127.102.1:445 | tcp | |
| N/A | 10.127.104.1:445 | tcp | |
| N/A | 10.127.105.1:445 | tcp | |
| US | 55.220.254.31:445 | tcp | |
| N/A | 10.127.103.1:445 | tcp | |
| N/A | 10.127.106.1:445 | tcp | |
| N/A | 10.127.108.1:445 | tcp | |
| N/A | 10.127.107.1:445 | tcp | |
| N/A | 10.127.109.1:445 | tcp | |
| US | 146.15.187.189:445 | tcp | |
| N/A | 10.127.111.1:445 | tcp | |
| N/A | 10.127.110.1:445 | tcp | |
| N/A | 10.127.112.1:445 | tcp | |
| NL | 13.95.1.195:445 | tcp | |
| N/A | 10.127.113.1:445 | tcp | |
| JP | 106.172.15.13:445 | tcp | |
| US | 55.224.73.167:445 | tcp | |
| N/A | 10.127.114.1:445 | tcp | |
| N/A | 10.127.116.1:445 | tcp | |
| US | 173.133.141.129:445 | tcp | |
| N/A | 10.127.117.1:445 | tcp | |
| US | 100.52.41.146:445 | tcp | |
| N/A | 10.127.118.1:445 | tcp | |
| CN | 42.174.203.219:445 | tcp | |
| N/A | 10.127.120.1:445 | tcp | |
| N/A | 10.127.115.1:445 | tcp | |
| N/A | 10.127.122.1:445 | tcp | |
| US | 29.140.166.62:445 | tcp | |
| BR | 177.29.211.101:445 | tcp | |
| N/A | 10.127.119.1:445 | tcp | |
| N/A | 10.127.121.1:445 | tcp | |
| MO | 180.94.129.15:445 | tcp | |
| SA | 109.83.178.97:445 | tcp | |
| N/A | 10.127.125.1:445 | tcp | |
| N/A | 10.127.124.1:445 | tcp | |
| N/A | 10.127.126.1:445 | tcp | |
| US | 173.141.70.20:445 | tcp | |
| N/A | 10.127.123.1:445 | tcp | |
| N/A | 10.127.131.1:445 | tcp | |
| KR | 169.219.188.91:445 | tcp | |
| N/A | 10.127.127.1:445 | tcp | |
| N/A | 10.127.128.1:445 | tcp | |
| N/A | 10.127.129.1:445 | tcp | |
| N/A | 10.127.130.1:445 | tcp | |
| N/A | 10.127.132.1:445 | tcp | |
| N/A | 10.127.133.1:445 | tcp | |
| N/A | 10.127.134.1:445 | tcp | |
| JP | 27.89.181.87:445 | tcp | |
| DE | 140.181.120.54:445 | tcp | |
| FR | 82.228.16.184:445 | tcp | |
| N/A | 10.127.135.1:445 | tcp | |
| US | 66.39.142.122:445 | tcp | |
| US | 54.173.179.227:445 | tcp | |
| N/A | 10.127.138.1:445 | tcp | |
| US | 57.201.227.143:445 | tcp | |
| N/A | 10.127.137.1:445 | tcp | |
| N/A | 10.127.139.1:445 | tcp | |
| N/A | 10.127.136.1:445 | tcp | |
| AU | 129.127.220.106:445 | tcp | |
| N/A | 10.127.142.1:445 | tcp | |
| N/A | 10.127.141.1:445 | tcp | |
| N/A | 10.127.140.1:445 | tcp | |
| US | 153.69.168.198:445 | tcp | |
| JP | 126.6.21.140:445 | tcp | |
| N/A | 10.127.145.1:445 | tcp | |
| US | 161.69.18.199:445 | tcp | |
| US | 47.38.254.16:445 | tcp | |
| N/A | 10.127.144.1:445 | tcp | |
| US | 48.40.67.35:445 | tcp | |
| US | 72.206.74.194:445 | tcp | |
| N/A | 10.127.143.1:445 | tcp | |
| N/A | 10.127.149.1:445 | tcp | |
| US | 141.213.185.208:445 | tcp | |
| N/A | 10.127.148.1:445 | tcp | |
| N/A | 10.127.146.1:445 | tcp | |
| N/A | 10.127.147.1:445 | tcp | |
| N/A | 10.127.150.1:445 | tcp | |
| N/A | 10.127.151.1:445 | tcp | |
| N/A | 10.127.152.1:445 | tcp | |
| N/A | 10.127.153.1:445 | tcp | |
| N/A | 10.127.154.1:445 | tcp | |
| N/A | 10.127.155.1:445 | tcp | |
| N/A | 35.187.84.62:445 | tcp | |
| N/A | 10.127.156.1:445 | tcp | |
| N/A | 106.231.194.137:445 | tcp | |
| N/A | 166.245.185.219:445 | tcp |
Files
C:\Windows\tasksche.exe
| MD5 | 7f7ccaa16fb15eb1c7399d422f8363e8 |
| SHA1 | bd44d0ab543bf814d93b719c24e90d8dd7111234 |
| SHA256 | 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd |
| SHA512 | 83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7 |