Overview

overview

10

Static

static

3

2024-05-24...ry.exe

windows7-x64

10

2024-05-24...ry.exe

windows10-2004-x64

10

Resubmissions

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-05-2024 15:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-24_2c0a37f96ff7d5c08ebfc94d40b18606_wannacry.exe

  • Size

    5.0MB

  • MD5

    2c0a37f96ff7d5c08ebfc94d40b18606

  • SHA1

    8db8602e6400aa0a980c0a046324dad968655cae

  • SHA256

    d5bee2f82f619aca6f3e967112e37f1797a996f268fa3ed6236ba8adba140fe1

  • SHA512

    2786d276253d810bedb7fff04cc7524acff358c7c66d7b173d429d29dee6793adf65f673aa8087cd45df3923e5a0513e8dd199ed0c650f0916217f89690f89ae

  • SSDEEP

    24576:QbLguriI/MSirYbcMNgef0QeQjG/D8kIqBbOSSqTPVXmiHkQg6E:Qn9MSPbcBVQej/BSqTdX1HkQG

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3234) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 24 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 2 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of SetWindowsHookEx 35 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-24_2c0a37f96ff7d5c08ebfc94d40b18606_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-24_2c0a37f96ff7d5c08ebfc94d40b18606_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    PID:2280
  • C:\Users\Admin\AppData\Local\Temp\2024-05-24_2c0a37f96ff7d5c08ebfc94d40b18606_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-05-24_2c0a37f96ff7d5c08ebfc94d40b18606_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2504
  • C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\WatchGrant.ADTS"
    1⤵
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1656
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\WaitApprove.html
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2208
  • C:\Windows\System32\xpsrchvw.exe
    "C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Desktop\UndoNew.xps"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:2800
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1828
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BackupImport.ini
      1⤵
      • Opens file in notepad (likely ransom note)
      PID:2156
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Downloads\BlockReset.doc"
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2996
    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
        2⤵
          PID:2332
      • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
        "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n
        1⤵
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2716
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CompleteReceive.css
        1⤵
        • Opens file in notepad (likely ransom note)
        PID:280
      • C:\Windows\System32\xpsrchvw.exe
        "C:\Windows\System32\xpsrchvw.exe" "C:\Users\Admin\Downloads\CompleteUndo.edrwx"
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:2652
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\ConfirmRevoke.raw
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
          "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\ConfirmRevoke.raw"
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:904

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Network Service Discovery

      2
      T1046

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        68KB

        MD5

        29f65ba8e88c063813cc50a4ea544e93

        SHA1

        05a7040d5c127e68c25d81cc51271ffb8bef3568

        SHA256

        1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

        SHA512

        e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        623020b0ae8f938ae8440514e575c0d2

        SHA1

        ca87b6e5b8ee0fe2b39231b351e66e26e087bdb9

        SHA256

        75771b153e1b64e3e2bf1c3d4b1cab907437b8a9198f8f558039323d35370239

        SHA512

        365931fc1cf265e2a5bee7cdbcbcbf7291052bc22f530fee86597346612245e2048193b1efd34eb5069d4fd9165a605392e26bfa8a52f2da529599bc904dc5ce

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        e21dcad3d32ef09f162fbd37aa4201a6

        SHA1

        bef0178807070310485a3a26ab93f170c1962523

        SHA256

        56100d846cdfe91c519167c9b1d2a5b6623ebb777fc8423a0f7952005ffbcbd2

        SHA512

        c18c7881a6fcab515af7aa908604e868b102ebb147bb07f5cff8b6fab0f86c2718cb35e1219b014d3cf42a1785d561e39b898fe6829536c79124a29ca01e42cf

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        c115426e06a90f7a4fdf478a16fe991e

        SHA1

        71b536d6498559b7546778f2a3b9e505987b6206

        SHA256

        de3f790ab8e1c0cbfb6df0cb07ea46318ff2316e49ddd6bcfb7f7ace8c974033

        SHA512

        88f066a69349a244c7b1375e191b391a0597cd9cfd500dd7a8ba269345d2fa9c912762a4e62185173ef76602d0aa7dea33618aca757b95016112af42cab4686a

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        d41e075a9b575d279bb61563c745a2ca

        SHA1

        7eedf6fbd2837c5bcf2fec121b81c701ac127098

        SHA256

        d229bce409fa9ed5ef637e9ab921116df8e086a347683c860318a56a5fb32e8a

        SHA512

        8436355d7e43e1811e985f2441f1efa254166516360e54f4154ef509f6073ec79382abddd3ad7dd992b01e89ff58437aa85b67af6bac9e4b32d6592e3098791d

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        43b2e749d2afa96f78fd854428aa0035

        SHA1

        100b4977791ab2395e2a62a342db6a31bb26994d

        SHA256

        b7770a085a27cd372ebfb66eabdcdd58d1ed6c71a27af0d5f981fbbb8f1fe963

        SHA512

        1878004695aae10ed9608a1e20b350c592b9fb2cbe6c70eb108b25008dfaf5051b52b0beb12cc93d572368b765ae77efe73eeee7bef3740073884d15ed809a10

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        175a31141ff6c04e3df9d3f18cf01430

        SHA1

        2b9e495dd37cbd718f6ee8b1c623fc6b56747cd9

        SHA256

        2c24685b80da2674bd83bb210674854919a6147ec80bfa10b00b481e6accc1bd

        SHA512

        d4d02070aec62ee8f12157f4a474e6d35f8dfb1caec8bb5fad63c3314f058bd857fb728a6862bcdfde0df7ae0367bb1fc10754d24918042b18efe7de797bcaac

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        1398a1695d280bc8ae234f3c3877aaf4

        SHA1

        e7acd29202428cd390e3bb14f8b2868bc9977e67

        SHA256

        0007568059efd658c76bf7721ea6cc6bad4c0587a4807b4dd97d1f409c529dc2

        SHA512

        dcb6bccf95ec0f74197e779b5db6314b225fc1454b051b6d008dad0fbec02437ece35efc69a394ac02e1bd7eaf73825494c963a7fd1a1102cf38f1b861b8eaea

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc
        Filesize

        1.6MB

        MD5

        e9cdb4d5f431f326990137b1245cdab8

        SHA1

        aaeefad8ea37e577f629b8c57d5efd278dd1ce59

        SHA256

        00f215768120308240e9be811e416fddf0c651dd4d54f98a62ff2b52f2ef01b7

        SHA512

        aab134cad5c9f3c38300a7ba012ef8083518a88d0fb76375e54fc337503fbf679983305b2b47df531e8805e2ea237158f204488a88206c3c8c9b621a132e2b03

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab5728.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Tar57FA.tmp
        Filesize

        177KB

        MD5

        435a9ac180383f9fa094131b173a2f7b

        SHA1

        76944ea657a9db94f9a4bef38f88c46ed4166983

        SHA256

        67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

        SHA512

        1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp54435.WMC\allservices.xml
        Filesize

        546B

        MD5

        df03e65b8e082f24dab09c57bc9c6241

        SHA1

        6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

        SHA256

        155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

        SHA512

        ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
        Filesize

        20KB

        MD5

        83d86c2603c8f253c6d8ab46e4d89b62

        SHA1

        2e4af9b271d86321aa47deed6e5f3413e487401e

        SHA256

        9c9125aff360c8682592a5f92ddbde089afd8698337673fdc2c7dc720926e979

        SHA512

        7c2db0923777600531fe9752fe1eefbbe3dbd81b8c0cb2e5c41b4c52c23441f85bf0e39d37b140cb8fc31ce2ea10acabec8d793554bb832d53dbcefb9ada7927

        Download Submit
      • memory/1656-25-0x000007FEF76F0000-0x000007FEF7724000-memory.dmp
        Filesize

        208KB

        Download
      • memory/1656-24-0x000000013F490000-0x000000013F588000-memory.dmp
        Filesize

        992KB

        Download
      • memory/1656-26-0x000007FEF5FA0000-0x000007FEF6254000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/1656-27-0x000007FEF4DC0000-0x000007FEF5E6B000-memory.dmp
        Filesize

        16.7MB

        Download
      • memory/2716-565-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2996-512-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download
      • memory/2996-556-0x000000005FFF0000-0x0000000060000000-memory.dmp
        Filesize

        64KB

        Download