wannacry | 538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786 | Triage

Submit
Reports

Overview

overview

Static

static

3

538182cd64...86.dll

windows7-x64

538182cd64...86.dll

windows10-2004-x64

Sharing

General

Target

538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786
Size

5.0MB
Sample

240531-1mdrcaee2s
MD5

7c0ada776091154a2cb1015bcac66d65
SHA1

14b85e1558e891542fcc3fd71e2ab2068537112b
SHA256

538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786
SHA512

1ced5f1536b4fd61b49dfb16e3eca0777f8b1c7387a4ecc1de889027ae219c507f1d6a4ad921496352a6a09f1c616338fbcd7636a203e6c6489b019400d1965b
SSDEEP

98304:8DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:8DqPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery persistence ransomware upx worm

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll

Resource

win7-20240508-en

wannacry discovery persistence ransomware upx worm

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll

Resource

win10v2004-20240426-en

wannacry discovery persistence ransomware upx worm

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Targets

- Target
  
  538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786
- Size
  
  5.0MB
- MD5
  
  7c0ada776091154a2cb1015bcac66d65
- SHA1
  
  14b85e1558e891542fcc3fd71e2ab2068537112b
- SHA256
  
  538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786
- SHA512
  
  1ced5f1536b4fd61b49dfb16e3eca0777f8b1c7387a4ecc1de889027ae219c507f1d6a4ad921496352a6a09f1c616338fbcd7636a203e6c6489b019400d1965b
- SSDEEP
  
  98304:8DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:8DqPe1Cxcxk3ZAEUadzR8yc4H
Score

10^/10

wannacry discovery persistence ransomware upx worm
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Contacts a large (3313) amount of remote hosts
  This may indicate a network scan to discover remotely running services.
  discovery
- UPX dump on OEP (original entry point)
- Modifies AppInit DLL entries
  persistence
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Network Service Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

wannacrydiscoverypersistenceransomwareupxworm

behavioral2

wannacrydiscoverypersistenceransomwareupxworm

© 2018-2024

Terms | Privacy