Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-09-2024 09:38

General

  • Target

    2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe

  • Size

    5.0MB

  • MD5

    c2518e860b9fe614dd7a0d4ebaf1eda2

  • SHA1

    d9be161a6fb4b79f10ceafe30109a2599dbf75d0

  • SHA256

    c2d6eb0a76b139b02342c1d5d75c1b744afef9052777425800bc90d1462b4f47

  • SHA512

    042ab2d148e9c08bfa21e79698229ad1e609d6a9c27873dff91d03b1c8b091d56f4baa715489bd9212abc7e530fc7e12d1924fa75744abca4085c36e789bbd5f

  • SSDEEP

    49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:XDqPoBhz1aRxcSUDk36SAEdhv

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3176) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:1704
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2808
  • C:\Users\Admin\AppData\Local\Temp\2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    db536d575fb12abbf80121ae8f9b9be5

    SHA1

    b04983746b08445a3ed081080d26338fde45f76f

    SHA256

    7998dddf5f55e58945f5e747b11c2f03a14196577ece133b8587a5a5ec8c7b22

    SHA512

    324906ce8402dcb37bb4aff45455a95df2685df7a9d5e5648cf0d7bf4a19b141a88c6abadd1245226097bb0749a89261ae33ab77391056ce3ecf58b18e041ad7