Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:52
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe
-
Size
3.6MB
-
MD5
ac15c0ef7b0cfd62f087ccb06db91f5d
-
SHA1
97c55ce90ecb1197d39c4b3c3f954bd8105c1c31
-
SHA256
40c89149489eb496635372b379a8f5437c01013d0119a480031a183c9fff4b37
-
SHA512
90de24ed02957057ab5dcb5e97fc03f1165ac97dff491709854eaec2c959c65e10b8a1ca17ee87d3a147d0c6b22d55b86ca99c8365e794271a0179dbf6cf3c94
-
SSDEEP
12288:GebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7:XbLgddQhfdmMSirYbcMNge
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3329) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2300 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exedescription ioc process File created C:\WINDOWS\tasksche.exe 2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe"1⤵
- Drops file in Windows directory
PID:5088 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2300
-
C:\Users\Admin\AppData\Local\Temp\2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-05-22_ac15c0ef7b0cfd62f087ccb06db91f5d_wannacry.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:4452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD534f58fbfb5b65d11ddc3b677b9907737
SHA1c5e77e73425a71201303fdc5d9ad47d466c57a4f
SHA256d1843b9bbc6b2b0ada802108622174ec06a7602f072d72f9b94f1061ba174e03
SHA5123320d98e7eb92cda02aff16e7cd47b2c2ca5c7e43b581bc78fa1321f82ccb85f0bf619071e3cb5304a4ac526cb9f4cc5c1e1533c8035ebc2f4000211ea12f1d5