Overview

overview

10

Static

static

10

2024-05-26...ry.exe

windows7-x64

9

2024-05-26...ry.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe

  • Size

    2.4MB

  • MD5

    63263c7764df5469c6683700699f9d1a

  • SHA1

    a11de9cb5acd9b04fbbd3d4568a53713c7c3bd40

  • SHA256

    79fe78a198078c1810a45cd7ff8f97292b3a15c4ec65601f979be576a424e9ac

  • SHA512

    207c04f5d08230200ab0908b4f719ecb2d0085ffd26dfe6461c9fdb12e6cbe9736326338851291de65137019ab52ace2230d0fac1592cf3965f8ccbaf2a30a73

  • SSDEEP

    1536:jpHBovOj4CPN0iyR5KXzik7t3ZVw3GaalZJlrw+TBSD5vl/xvzWWvoqd:ZBoQ2RGaallrnUBlJ6o

Score
9/10
defense_evasionevasionexecutionimpactransomwarespywarestealer

Malware Config

Signatures

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Detects command variations typically used by ransomware 1 IoCs
  • Renames multiple (1429) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 64 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-26_63263c7764df5469c6683700699f9d1a_wannacry.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode mode=disable profile=all
      2⤵
      • Modifies Windows Firewall
      PID:4972
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic shadowcopy delete
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3632
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe user32.dll,UpdatePerUserSystemParameters
      2⤵
        PID:4204
      • C:\Users\Admin\Desktop\GlitchByte_Decryptor.exe
        C:\Users\Admin\Desktop\GlitchByte_Decryptor.exe
        2⤵
        • Executes dropped EXE
        PID:4512
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4816

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\000003.log
      Filesize

      8B

      MD5

      7f49f19ddb99db64a6aa9486ef6658e5

      SHA1

      f233f9413b9cc1c27e61308b6b5d5e56c7341d45

      SHA256

      a5ddc96ed1f312cb639277840a89c8859f88ffd36a5962b87429fd0e94feb41f

      SHA512

      4634feaaa7de377b4bb8bc5ff5649f4ef0b8f37f2338d2d032ae2956c6f35aba1ecd9672c3e46bfb30d64e8584f78032e8ab738ddbf01e44e8b8532e74192159

      Download Submit

    • C:\Users\Admin\Desktop\GlitchByte_Decryptor.exe
      Filesize

      59KB

      MD5

      bfb533cf1b36ee071912539947b6e293

      SHA1

      829ab8fea8390419739749a5f10a6514b38f81cf

      SHA256

      0d8217a51648efeb075d73389c826430209eca07422fb8d035de9c00bd5ab96c

      SHA512

      d1f68827ff6d937a9a46b390f6ddbf58b7cc644fce648b16342eafc0f85788261a4b126f5582528b34af32fd20b964738dd052bfe255cac1438780500354fb83

      Download Submit

    • memory/216-2274-0x0000000000C90000-0x0000000000EF7000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/4512-2800-0x0000000000340000-0x0000000000352000-memory.dmp

      Filesize

      72KB

      Download