wannacry | 11ce7e99472126df83ed848bed5a79bcf190ec0dbf16a7b31ee53e5b7a085cc8

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe
Size

3.6MB
MD5

04af56434d60ec8a17511ab957430c0a
SHA1

9bf7e12145f6c080115730f2137ed1ae14096a89
SHA256

11ce7e99472126df83ed848bed5a79bcf190ec0dbf16a7b31ee53e5b7a085cc8
SHA512

348733bd8b439cb4825e1027bedc1566f760a3fcf2f7217fed964e08156bc93a85d150adc6d6b5d93e09fdd5253c0f08ccfb19db9cf4d198fb6309fc049d51bd
SSDEEP

24576:VbLgdeJMSirYb8kQg6eX6SASkDhAdvpcLjdt/8uMEbI:VnjJMSPb8kQo6SAphwk3R

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3305) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
1680	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2468	1680	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1680	2108	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe	31
PID 2108 wrote to memory of 1680	2108	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe	31
PID 2108 wrote to memory of 1680	2108	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe	31
PID 2108 wrote to memory of 1680	2108	2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe	31
PID 1680 wrote to memory of 2468	1680	tasksche.exe	32
PID 1680 wrote to memory of 2468	1680	tasksche.exe	32
PID 1680 wrote to memory of 2468	1680	tasksche.exe	32
PID 1680 wrote to memory of 2468	1680	tasksche.exe	32

C:\Users\Admin\AppData\Local\Temp\2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 36
    3⤵
    - Program crash
    PID:2468

C:\Users\Admin\AppData\Local\Temp\2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
aafb1b6df9f35ec2b1e53e7f98ade374

SHA1
4948883b4fe1752a989ee2eaa6f3fcb99d893c57

SHA256
ceae04b36fe75ffc7db8434a987089a3060b639ef132954207d2460514618905

SHA512
820a6d119a4e720777a770ca211cf25931433dfd7b2d76fc164fa7ec7d7b4710cf90e1d1021a7b0752c48a6f0ced425e7ab5800970bfbfc6ee9ca81bd5b32a32

Download Submit