wannacry | 7587e15416957883b390afba98fedc4b4ff4ba7d111d9f03365b6a09b86d5d5c

Resubmissions

19-06-2024 12:55

240619-p51haavgkl 10

19-06-2024 12:42

240619-pxpe2sverk 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Size

3.6MB
MD5

d724d8cc6420f06e8a48752f0da11c66
SHA1

3b669778698972c402f7c149fc844d0ddb3a00e8
SHA256

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
SHA512

d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9
SSDEEP

98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:Z8qPe1Cxcxk3ZAEUadzR8yc4HI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
4252	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4796	EXCEL.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
3432	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
"C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe"
1⤵
- Drops file in Windows directory
PID:2144
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4252

C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe -m security
1⤵
PID:752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:2444

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\MergeComplete.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/4796-3-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-6-0x00007FF816A4D000-0x00007FF816A4E000-memory.dmp

Filesize
4KB

Download
memory/4796-5-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-4-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-8-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-7-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-11-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-14-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-15-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-13-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-17-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-16-0x00007FF7D47E0000-0x00007FF7D47F0000-memory.dmp

Filesize
64KB

Download
memory/4796-18-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-21-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-20-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-19-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-12-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-10-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-9-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-22-0x00007FF7D47E0000-0x00007FF7D47F0000-memory.dmp

Filesize
64KB

Download
memory/4796-24-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-25-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-23-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-35-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-49-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-52-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-51-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-50-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-53-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads