Malware Analysis Report

2024-10-19 07:31

Sample ID 240520-rer5bsdh7z
Target wannacry-sample.exe
SHA256 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
Tags
wannacry ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

Threat Level: Known bad

The file wannacry-sample.exe was found to be: Known bad.

Malicious Activity Summary

wannacry ransomware worm

Wannacry

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies data under HKEY_USERS

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-20 14:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 14:06

Reported

2024-05-20 14:06

Platform

win7-20240221-en

Max time kernel

8s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe"

Signatures

Wannacry

ransomware worm wannacry

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\tasksche.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\tasksche.exe C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe

"C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe"

C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe

C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe -m security

C:\WINDOWS\tasksche.exe

C:\WINDOWS\tasksche.exe /i

Network

Country Destination Domain Proto
US 100.11.64.59:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.3.1:445 tcp
N/A 10.127.2.1:445 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.5.1:445 tcp
N/A 10.127.4.1:445 tcp
N/A 10.127.8.1:445 tcp
N/A 10.127.7.1:445 tcp
N/A 10.127.9.1:445 tcp
N/A 10.127.6.1:445 tcp
US 74.171.134.33:445 tcp
N/A 10.127.11.1:445 tcp
N/A 10.127.10.1:445 tcp
N/A 10.127.12.1:445 tcp
N/A 10.127.13.1:445 tcp
N/A 10.127.14.1:445 tcp
N/A 10.127.15.1:445 tcp
N/A 10.127.16.1:445 tcp
N/A 10.127.17.1:445 tcp
N/A 10.127.18.1:445 tcp
N/A 10.127.19.1:445 tcp
N/A 10.127.20.1:445 tcp
N/A 10.127.21.1:445 tcp
KR 121.158.118.199:445 tcp
ES 213.164.168.238:445 tcp
N/A 10.127.22.1:445 tcp
N/A 10.127.23.1:445 tcp
N/A 10.127.26.1:445 tcp
N/A 10.127.25.1:445 tcp
N/A 10.127.24.1:445 tcp
N/A 10.127.28.1:445 tcp
N/A 10.127.29.1:445 tcp
N/A 10.127.27.1:445 tcp
CN 120.40.79.249:445 tcp
N/A 10.127.31.1:445 tcp
N/A 10.127.30.1:445 tcp
NL 151.175.93.119:445 tcp
N/A 10.127.32.1:445 tcp
N/A 10.127.33.1:445 tcp
N/A 10.127.34.1:445 tcp
N/A 10.127.35.1:445 tcp
N/A 10.127.36.1:445 tcp
N/A 10.127.37.1:445 tcp
N/A 10.127.38.1:445 tcp
N/A 10.127.39.1:445 tcp
N/A 10.127.40.1:445 tcp
US 50.252.65.183:445 tcp
IL 84.94.242.241:445 tcp
N/A 10.127.44.1:445 tcp
KR 14.71.120.228:445 tcp
N/A 10.127.43.1:445 tcp
N/A 10.127.41.1:445 tcp
N/A 10.127.42.1:445 tcp
N/A 10.127.45.1:445 tcp
N/A 10.127.48.1:445 tcp
ID 202.154.29.80:445 tcp
N/A 10.127.49.1:445 tcp
N/A 10.127.47.1:445 tcp
N/A 10.127.46.1:445 tcp
N/A 10.127.54.1:445 tcp
N/A 10.127.51.1:445 tcp
CA 174.35.252.112:445 tcp
N/A 10.127.53.1:445 tcp
N/A 10.127.50.1:445 tcp
N/A 10.127.52.1:445 tcp
N/A 10.127.55.1:445 tcp
US 153.90.19.172:445 tcp
N/A 10.127.56.1:445 tcp
N/A 10.127.57.1:445 tcp
N/A 10.127.58.1:445 tcp
US 6.103.63.2:445 tcp
CN 39.179.56.167:445 tcp
N/A 10.127.65.1:445 tcp
N/A 10.127.60.1:445 tcp
N/A 10.127.59.1:445 tcp
CN 103.45.186.244:445 tcp
N/A 10.127.62.1:445 tcp
FR 92.151.57.16:445 tcp
N/A 10.127.67.1:445 tcp
N/A 10.127.66.1:445 tcp
N/A 10.127.61.1:445 tcp
N/A 10.127.63.1:445 tcp
N/A 10.127.64.1:445 tcp
US 32.46.190.7:445 tcp
N/A 10.127.70.1:445 tcp
N/A 10.127.68.1:445 tcp
N/A 10.127.73.1:445 tcp
US 45.20.95.195:445 tcp
N/A 10.127.69.1:445 tcp
N/A 10.127.71.1:445 tcp
N/A 10.127.72.1:445 tcp
N/A 10.127.74.1:445 tcp
N/A 10.127.75.1:445 tcp
N/A 10.127.76.1:445 tcp
N/A 105.103.236.47:445 tcp
N/A 10.127.77.1:445 tcp
N/A 202.191.226.7:445 tcp
N/A 10.127.78.1:445 tcp

Files

C:\Windows\tasksche.exe

MD5 7f7ccaa16fb15eb1c7399d422f8363e8
SHA1 bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA256 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA512 83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 14:06

Reported

2024-05-20 14:07

Platform

win10v2004-20240426-en

Max time kernel

15s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe"

Signatures

Wannacry

ransomware worm wannacry

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\WINDOWS\tasksche.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\tasksche.exe C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe

"C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe"

C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe

C:\Users\Admin\AppData\Local\Temp\wannacry-sample.exe -m security

C:\WINDOWS\tasksche.exe

C:\WINDOWS\tasksche.exe /i

Network

Country Destination Domain Proto
CN 183.207.144.216:445 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.2.1:445 tcp
N/A 10.127.6.1:445 tcp
N/A 10.127.1.1:445 tcp
N/A 10.127.3.1:445 tcp
N/A 10.127.4.1:445 tcp
N/A 10.127.5.1:445 tcp
N/A 10.127.7.1:445 tcp
N/A 10.127.8.1:445 tcp
N/A 10.127.9.1:445 tcp
N/A 10.127.10.1:445 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
N/A 10.127.11.1:445 tcp
JP 59.190.129.177:445 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
N/A 10.127.12.1:445 tcp
NL 23.62.61.97:443 www.bing.com tcp
N/A 10.127.13.1:445 tcp
N/A 10.127.14.1:445 tcp
CN 223.117.226.40:445 tcp
N/A 10.127.15.1:445 tcp
US 72.180.228.31:445 tcp
N/A 10.127.16.1:445 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
N/A 10.127.21.1:445 tcp
N/A 10.127.20.1:445 tcp
N/A 10.127.17.1:445 tcp
N/A 10.127.19.1:445 tcp
N/A 10.127.27.1:445 tcp
N/A 10.127.24.1:445 tcp
N/A 10.127.25.1:445 tcp
N/A 10.127.18.1:445 tcp
N/A 10.127.22.1:445 tcp
N/A 10.127.23.1:445 tcp
N/A 10.127.26.1:445 tcp
N/A 10.127.28.1:445 tcp
N/A 10.127.29.1:445 tcp
N/A 10.127.30.1:445 tcp
N/A 10.127.31.1:445 tcp
NL 23.62.61.97:443 www.bing.com tcp
N/A 10.127.32.1:445 tcp
N/A 10.127.33.1:445 tcp
JP 58.3.212.183:445 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
DK 93.165.140.162:445 tcp
N/A 10.127.36.1:445 tcp
N/A 10.127.35.1:445 tcp
N/A 10.127.37.1:445 tcp
N/A 10.127.34.1:445 tcp
N/A 10.127.38.1:445 tcp
KR 27.119.202.45:445 tcp
N/A 10.127.40.1:445 tcp
N/A 10.127.43.1:445 tcp
N/A 10.127.39.1:445 tcp
GB 86.190.33.162:445 tcp
N/A 10.127.44.1:445 tcp
N/A 10.127.42.1:445 tcp
N/A 10.127.45.1:445 tcp
US 207.199.58.92:445 tcp
N/A 10.127.41.1:445 tcp
N/A 10.127.47.1:445 tcp
N/A 10.127.46.1:445 tcp
N/A 10.127.48.1:445 tcp
N/A 10.127.49.1:445 tcp
N/A 10.127.50.1:445 tcp
N/A 10.127.51.1:445 tcp
N/A 10.127.52.1:445 tcp
N/A 10.127.53.1:445 tcp
N/A 10.127.54.1:445 tcp
JP 42.127.177.121:445 tcp
IS 193.4.58.85:445 tcp
PH 136.158.133.37:445 tcp
N/A 10.127.55.1:445 tcp
N/A 10.127.56.1:445 tcp
N/A 10.127.57.1:445 tcp
N/A 10.127.64.1:445 tcp
CN 218.241.138.73:445 tcp
N/A 10.127.58.1:445 tcp
IN 103.39.5.60:445 tcp
N/A 10.127.59.1:445 tcp
N/A 10.127.61.1:445 tcp
N/A 10.127.62.1:445 tcp
N/A 10.127.67.1:445 tcp
N/A 10.127.60.1:445 tcp
GB 90.197.165.26:445 tcp
N/A 10.127.63.1:445 tcp
N/A 10.127.65.1:445 tcp
N/A 10.127.66.1:445 tcp
US 17.223.47.252:445 tcp
N/A 10.127.68.1:445 tcp
N/A 10.127.69.1:445 tcp
N/A 10.127.70.1:445 tcp
N/A 10.127.71.1:445 tcp
N/A 10.127.72.1:445 tcp
N/A 10.127.73.1:445 tcp
N/A 10.127.74.1:445 tcp
N/A 10.127.75.1:445 tcp
DE 79.127.211.129:445 tcp
JP 59.166.214.211:445 tcp
N/A 10.127.76.1:445 tcp
DE 20.79.134.36:445 tcp
N/A 10.127.77.1:445 tcp
BR 152.252.221.16:445 tcp
N/A 10.127.78.1:445 tcp
N/A 10.127.80.1:445 tcp
US 30.0.189.173:445 tcp
N/A 10.127.79.1:445 tcp
US 29.163.191.185:445 tcp
N/A 10.127.81.1:445 tcp
US 173.124.102.212:445 tcp
N/A 10.127.89.1:445 tcp
N/A 10.127.88.1:445 tcp
US 174.18.161.80:445 tcp
N/A 10.127.82.1:445 tcp
N/A 10.127.83.1:445 tcp
N/A 10.127.84.1:445 tcp
N/A 10.127.85.1:445 tcp
N/A 10.127.86.1:445 tcp
N/A 10.127.87.1:445 tcp
N/A 10.127.90.1:445 tcp
N/A 10.127.91.1:445 tcp
N/A 10.127.92.1:445 tcp
IN 182.58.129.147:445 tcp
N/A 10.127.93.1:445 tcp
N/A 10.127.94.1:445 tcp
N/A 10.127.95.1:445 tcp
CN 14.212.163.187:445 tcp
US 7.149.52.203:445 tcp
US 173.168.93.47:445 tcp
N/A 10.127.97.1:445 tcp
N/A 10.127.96.1:445 tcp
N/A 10.127.98.1:445 tcp
DE 51.74.10.176:445 tcp
CN 114.252.79.48:445 tcp
N/A 10.127.99.1:445 tcp
BR 177.137.199.141:445 tcp
N/A 10.127.100.1:445 tcp
US 66.168.171.54:445 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 10.127.101.1:445 tcp
N/A 10.127.102.1:445 tcp
N/A 10.127.104.1:445 tcp
N/A 10.127.105.1:445 tcp
US 55.220.254.31:445 tcp
N/A 10.127.103.1:445 tcp
N/A 10.127.106.1:445 tcp
N/A 10.127.108.1:445 tcp
N/A 10.127.107.1:445 tcp
N/A 10.127.109.1:445 tcp
US 146.15.187.189:445 tcp
N/A 10.127.111.1:445 tcp
N/A 10.127.110.1:445 tcp
N/A 10.127.112.1:445 tcp
NL 13.95.1.195:445 tcp
N/A 10.127.113.1:445 tcp
JP 106.172.15.13:445 tcp
US 55.224.73.167:445 tcp
N/A 10.127.114.1:445 tcp
N/A 10.127.116.1:445 tcp
US 173.133.141.129:445 tcp
N/A 10.127.117.1:445 tcp
US 100.52.41.146:445 tcp
N/A 10.127.118.1:445 tcp
CN 42.174.203.219:445 tcp
N/A 10.127.120.1:445 tcp
N/A 10.127.115.1:445 tcp
N/A 10.127.122.1:445 tcp
US 29.140.166.62:445 tcp
BR 177.29.211.101:445 tcp
N/A 10.127.119.1:445 tcp
N/A 10.127.121.1:445 tcp
MO 180.94.129.15:445 tcp
SA 109.83.178.97:445 tcp
N/A 10.127.125.1:445 tcp
N/A 10.127.124.1:445 tcp
N/A 10.127.126.1:445 tcp
US 173.141.70.20:445 tcp
N/A 10.127.123.1:445 tcp
N/A 10.127.131.1:445 tcp
KR 169.219.188.91:445 tcp
N/A 10.127.127.1:445 tcp
N/A 10.127.128.1:445 tcp
N/A 10.127.129.1:445 tcp
N/A 10.127.130.1:445 tcp
N/A 10.127.132.1:445 tcp
N/A 10.127.133.1:445 tcp
N/A 10.127.134.1:445 tcp
JP 27.89.181.87:445 tcp
DE 140.181.120.54:445 tcp
FR 82.228.16.184:445 tcp
N/A 10.127.135.1:445 tcp
US 66.39.142.122:445 tcp
US 54.173.179.227:445 tcp
N/A 10.127.138.1:445 tcp
US 57.201.227.143:445 tcp
N/A 10.127.137.1:445 tcp
N/A 10.127.139.1:445 tcp
N/A 10.127.136.1:445 tcp
AU 129.127.220.106:445 tcp
N/A 10.127.142.1:445 tcp
N/A 10.127.141.1:445 tcp
N/A 10.127.140.1:445 tcp
US 153.69.168.198:445 tcp
JP 126.6.21.140:445 tcp
N/A 10.127.145.1:445 tcp
US 161.69.18.199:445 tcp
US 47.38.254.16:445 tcp
N/A 10.127.144.1:445 tcp
US 48.40.67.35:445 tcp
US 72.206.74.194:445 tcp
N/A 10.127.143.1:445 tcp
N/A 10.127.149.1:445 tcp
US 141.213.185.208:445 tcp
N/A 10.127.148.1:445 tcp
N/A 10.127.146.1:445 tcp
N/A 10.127.147.1:445 tcp
N/A 10.127.150.1:445 tcp
N/A 10.127.151.1:445 tcp
N/A 10.127.152.1:445 tcp
N/A 10.127.153.1:445 tcp
N/A 10.127.154.1:445 tcp
N/A 10.127.155.1:445 tcp
N/A 35.187.84.62:445 tcp
N/A 10.127.156.1:445 tcp
N/A 106.231.194.137:445 tcp
N/A 166.245.185.219:445 tcp

Files

C:\Windows\tasksche.exe

MD5 7f7ccaa16fb15eb1c7399d422f8363e8
SHA1 bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA256 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA512 83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7