Resubmissions
11-06-2024 12:56
240611-p6qz8sxeqc 1011-06-2024 12:56
240611-p6cgvaxhrn 1011-06-2024 12:53
240611-p4mj2axhmj 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 12:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe
-
Size
5.0MB
-
MD5
bf86e3bba6212a58f4923dfee37f360d
-
SHA1
82827607dc32ab560618267ea3551b4b2068da71
-
SHA256
baad53c5f4c4165efb6e03a911abd3a3afda33eeeb046625ede7fccbb32509ff
-
SHA512
cd4fc73059583196957caee2c4942b0adf2d9e9b05358f20ee2a9b5dc1d654d47e7b04968733a4a519c3d3f424858c4c204c2751d8a99916f9e0a63092cbc396
-
SSDEEP
49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9P:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3275) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2560 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe -
Drops file in Windows directory 1 IoCs
Processes:
2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exedescription ioc process File created C:\WINDOWS\tasksche.exe 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B274256-EC98-4E65-A3E0-0501880B15E6} 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B274256-EC98-4E65-A3E0-0501880B15E6}\WpadDecisionTime = 10bada50febbda01 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B274256-EC98-4E65-A3E0-0501880B15E6}\52-7f-59-f5-bc-6f 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-7f-59-f5-bc-6f\WpadDecisionTime = 10bada50febbda01 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B274256-EC98-4E65-A3E0-0501880B15E6}\WpadDecision = "0" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-7f-59-f5-bc-6f 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-7f-59-f5-bc-6f\WpadDecisionReason = "1" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-7f-59-f5-bc-6f\WpadDecision = "0" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B274256-EC98-4E65-A3E0-0501880B15E6}\WpadNetworkName = "Network 3" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B274256-EC98-4E65-A3E0-0501880B15E6}\WpadDecisionReason = "1" 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe"1⤵
- Drops file in Windows directory
PID:3028 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2560
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-06-11_bf86e3bba6212a58f4923dfee37f360d_wannacry.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5469ea6f2c5d9d4ac749651e2f5a0f6a9
SHA15c7c3b5cd9f518c3922bb907836fbad662c8729f
SHA25629b50bde6dac39948c22579248c96a3488c5c94c6f127a4bd11d24abfcb6569f
SHA51296ec39bcdca9a4a2352e377cb20676a7a197dbe015ef0a61eb281a65c867955d9f065cf6e102ef2083aab27a501bc34e07536abbfc19bafe225f628803fd083a