Overview

overview

10

Static

static

3

WannaCry.exe

windows7-x64

10

WannaCry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2024 20:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WannaCry.exe

  • Size

    623KB

  • MD5

    eea571229a25bc2f5b59dce07c361cb2

  • SHA1

    b341437a1f94d645e5628d8491f068de1a049fb9

  • SHA256

    b0e67944726a2d7a14c9ce5fbfa1914b85666d547cc09118b278e89aeb5307cd

  • SHA512

    1b52740a0fbbb26cd8ad94167b443a81761ba8d48ae9b2931c924a2dcacb3de1727faf12858714712e863cd8d4a6412780ee466e45765565e707422ace583fca

  • SSDEEP

    12288:JzNGgFeDQ8sYnJl6+CIxNbMV6DqJ598Fu8l3hIX61Ho7:TGKUQ8sYJlFtMV6DqJ4u8lQ6S7

Score
10/10
wannacryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
    "C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3180
    • C:\Fake\Starter.exe
      "C:\Fake\Starter.exe"
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Suspicious use of WriteProcessMemory
      PID:5924
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:5512
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
    1⤵
    • Checks processor information in registry
    • Modifies registry class
    PID:5640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Fake\@[email protected]
    Filesize

    240KB

    MD5

    7bf2b57f2a205768755c07f238fb32cc

    SHA1

    45356a9dd616ed7161a3b9192e2f318d0ab5ad10

    SHA256

    b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

    SHA512

    91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

    Download Submit

  • C:\Fake\Starter.exe
    Filesize

    76KB

    MD5

    ad38305ac309c46033e2c65a25abc61f

    SHA1

    8e4fb6f0b4e62c2b6fdb92c4f5d884a7f7867bfd

    SHA256

    236e79f52960f6c8ec5c5ff9d15026953e2100c7c7ec8d1d2d6ee17e3ea5c8a4

    SHA512

    7be823bd1d2941253c38227faf23efe3801450f958a5ebd751354a8b672922c35d23df03c9e6af398fe4e15d4864dc78c68e52483af9b7e9840dab2c4245be44

    Download Submit

  • C:\Fake\c.wnry
    Filesize

    781B

    MD5

    b1b05ed468c0370c4cbc206ba8f47599

    SHA1

    cf36c5df06758a52c1ece7e91a27d79fae7a6000

    SHA256

    eeabf078a3be5af70bc63fb6fd7219d0f14b0ca6c4a265265c24a57d317cb06f

    SHA512

    9047dfe3b87c839ca4859da9eb2d784f90660c36319f07f9d5f22fcefb71ef819c0ef276fe05041d5e00745c04fe58087e2755445ed0e3db397dc0141b971385

    Download Submit

  • C:\Fake\msg\m_English.wnry
    Filesize

    36KB

    MD5

    fe68c2dc0d2419b38f44d83f2fcf232e

    SHA1

    6c6e49949957215aa2f3dfb72207d249adf36283

    SHA256

    26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

    SHA512

    941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

    Download Submit

  • C:\Fake\msg\m_czech.wnry
    Filesize

    39KB

    MD5

    537efeecdfa94cc421e58fd82a58ba9e

    SHA1

    3609456e16bc16ba447979f3aa69221290ec17d0

    SHA256

    5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

    SHA512

    e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

    Download Submit

  • C:\Fake\msg\m_indonesian.wnry
    Filesize

    36KB

    MD5

    3788f91c694dfc48e12417ce93356b0f

    SHA1

    eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

    SHA256

    23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

    SHA512

    b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

    Download Submit