wannacry | b59b879b4ea001e1e1daabe3c00ea1d1d7e7c79e2b69ed3d4a11c47953a273ab

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe
Size

3.6MB
MD5

9a09665b2b273e2575a5bbef898bd7f4
SHA1

1830b494ca4b45a970fe419c1bf993815d5321e9
SHA256

b59b879b4ea001e1e1daabe3c00ea1d1d7e7c79e2b69ed3d4a11c47953a273ab
SHA512

509fc14f337648381c22312535b50e498091f24cd8297702a45e1ba1b1a803787da54727082996848c138f1a2745e0962988e84af561c493f8c2ae2815308d9c
SSDEEP

49152:2njQqMSPbcBVQej/1INRx+TSqTdX1HGxJM0H9PAMEcaEau3RCgHADJ:y8qPoBhz1aRxcSUDGxWa9P593RU

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3098) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2264 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2264	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe"
1⤵
- Drops file in Windows directory
PID:3048
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2264

C:\Users\Admin\AppData\Local\Temp\2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-26_9a09665b2b273e2575a5bbef898bd7f4_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
dc797a79c81870e11b6091fb13181678

SHA1
eb14741adeddd0eb0e24780f30230934c6f70b1e

SHA256
684b3b171963efef5a27051aac9d795c6f713cec54bdf4cf1b88d33728544136

SHA512
94db9c19a044ac93167754fd31f1b6eb21ab6339b5522a32f59f230aaef6b4f92babed4f8bdba383741e1c325efae63afee0e8c111cccb1ff3fa1776cf1dfbe6

Download Submit