wannacry | 28cf5f04c1eae22ddf3e2c66800e48c16137508f674e74a89106b101ef03279e

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe
Size

5.0MB
MD5

4fb2055ea7d90b7549d7f6719d34883c
SHA1

ff354e43623d7746951948bad2270dd26f4afdc9
SHA256

28cf5f04c1eae22ddf3e2c66800e48c16137508f674e74a89106b101ef03279e
SHA512

06b413d204af3996b00fbabb389f48ee4d0cbf3f10ec498769e6aa09a9dde3725324675e15e30ba8d47138c1aec8867cfa382382ca09888ee27bd684a9514af0
SSDEEP

49152:VnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2912 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2912	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe

Drops file in Windows directory 1 IoCs

Processes:

2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe"
1⤵
- Drops file in Windows directory
PID:2180

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2912

C:\Users\Admin\AppData\Local\Temp\2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-07-09_4fb2055ea7d90b7549d7f6719d34883c_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
b4af9fbefc20a243b19e2ea8e5a6a400

SHA1
a1d8bc7470fb139882ad47b519a20495e93b689c

SHA256
4d46ba3e9b9fcacd24b2903e4e14e83920ff0c970120c5a5e5fc93df0cb83e4c

SHA512
2847139807144a6403d057c2aa4a8eff7f066bdea8272720528c5c13e8c2360b3c039dd81c440028c9e25a0c55e1a6b388c025d2f7934ec9c3b59c6c5527f27c

Download Submit