Overview

overview

10

Static

static

3

2024-09-08...ry.exe

windows7-x64

10

2024-09-08...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/09/2024, 11:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe

  • Size

    3.6MB

  • MD5

    04af56434d60ec8a17511ab957430c0a

  • SHA1

    9bf7e12145f6c080115730f2137ed1ae14096a89

  • SHA256

    11ce7e99472126df83ed848bed5a79bcf190ec0dbf16a7b31ee53e5b7a085cc8

  • SHA512

    348733bd8b439cb4825e1027bedc1566f760a3fcf2f7217fed964e08156bc93a85d150adc6d6b5d93e09fdd5253c0f08ccfb19db9cf4d198fb6309fc049d51bd

  • SSDEEP

    24576:VbLgdeJMSirYb8kQg6eX6SASkDhAdvpcLjdt/8uMEbI:VnjJMSPb8kQo6SAphwk3R

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3295) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 1 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1004
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 220
        3⤵
        • Program crash
        PID:2272
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 224
        3⤵
        • Program crash
        PID:2688
  • C:\Users\Admin\AppData\Local\Temp\2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-08_04af56434d60ec8a17511ab957430c0a_wannacry.exe -m security
    1⤵
    • System Location Discovery: System Language Discovery
    PID:5100
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1004 -ip 1004
    1⤵
      PID:3972
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1004 -ip 1004
      1⤵
        PID:3480

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\tasksche.exe
        Filesize

        3.4MB

        MD5

        aafb1b6df9f35ec2b1e53e7f98ade374

        SHA1

        4948883b4fe1752a989ee2eaa6f3fcb99d893c57

        SHA256

        ceae04b36fe75ffc7db8434a987089a3060b639ef132954207d2460514618905

        SHA512

        820a6d119a4e720777a770ca211cf25931433dfd7b2d76fc164fa7ec7d7b4710cf90e1d1021a7b0752c48a6f0ced425e7ab5800970bfbfc6ee9ca81bd5b32a32

        Download Submit