Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 09:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe
-
Size
5.0MB
-
MD5
c2518e860b9fe614dd7a0d4ebaf1eda2
-
SHA1
d9be161a6fb4b79f10ceafe30109a2599dbf75d0
-
SHA256
c2d6eb0a76b139b02342c1d5d75c1b744afef9052777425800bc90d1462b4f47
-
SHA512
042ab2d148e9c08bfa21e79698229ad1e609d6a9c27873dff91d03b1c8b091d56f4baa715489bd9212abc7e530fc7e12d1924fa75744abca4085c36e789bbd5f
-
SSDEEP
49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:XDqPoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3176) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 2808 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-ac-b9-a0-0b-6c\WpadDecisionReason = "1" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC30BDF3-C4DC-4075-A0A2-370429D0227C}\WpadDecisionTime = e0dbb2fa5207db01 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-ac-b9-a0-0b-6c\WpadDecisionTime = e0dbb2fa5207db01 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC30BDF3-C4DC-4075-A0A2-370429D0227C} 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC30BDF3-C4DC-4075-A0A2-370429D0227C}\WpadNetworkName = "Network 3" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC30BDF3-C4DC-4075-A0A2-370429D0227C}\ca-ac-b9-a0-0b-6c 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC30BDF3-C4DC-4075-A0A2-370429D0227C}\WpadDecision = "0" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-ac-b9-a0-0b-6c 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-ac-b9-a0-0b-6c\WpadDecision = "0" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EC30BDF3-C4DC-4075-A0A2-370429D0227C}\WpadDecisionReason = "1" 2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1704 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-09-15_c2518e860b9fe614dd7a0d4ebaf1eda2_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5db536d575fb12abbf80121ae8f9b9be5
SHA1b04983746b08445a3ed081080d26338fde45f76f
SHA2567998dddf5f55e58945f5e747b11c2f03a14196577ece133b8587a5a5ec8c7b22
SHA512324906ce8402dcb37bb4aff45455a95df2685df7a9d5e5648cf0d7bf4a19b141a88c6abadd1245226097bb0749a89261ae33ab77391056ce3ecf58b18e041ad7