Resubmissions
15-09-2024 20:39
240915-zfpdtssblr 1015-09-2024 20:38
240915-zepcfa1erh 1015-09-2024 19:50
240915-ykmv5a1bjq 10Analysis
-
max time kernel
77s -
max time network
77s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-09-2024 20:38
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe
Resource
win11-20240802-en
General
-
Target
2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe
-
Size
2.2MB
-
MD5
ec114588ac70fd5c1fca25731f494b4e
-
SHA1
040796d8ed354de04175ca01380c45e9c3acd642
-
SHA256
1a3a791e79fd658b5e630200046217427ca80ab561cf2f92b599897ca2e0dff9
-
SHA512
e04456bc3e5b303ca9782037bfa6b5da00596bb909a236d12663579048271efbfcb0a1770db3f3ef574cb2e028aae629b87576eebaa3c408f40b3f9013f78584
-
SSDEEP
49152:QnxQqMSPbcBVQej/1INRx+TSqTdX1HkQo6:Q6qPoBhz1aRxcSUDk36
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 1 IoCs
pid Process 2012 tasksche.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3372 2012 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3572 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3572 vlc.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe 3572 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3572 vlc.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2012 2252 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe 82 PID 2252 wrote to memory of 2012 2252 2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 83⤵
- Program crash
PID:3372
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-09-15_ec114588ac70fd5c1fca25731f494b4e_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2012 -ip 20121⤵PID:3836
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SkipConnect.DVR-MS"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD58a1112fbed4f3a09991afead122a2d7f
SHA116c013f4e5e855607d2a93e018d6d3efd89e195f
SHA256dc9d6f2222c1d8e1b0f7d2305f1b1cd735da9f0cd5a1bf055b31733f30b8693b
SHA512e0a6489305d58ab81f33bbe86d594e56c77eeae340c7a02fab251bd61c7a93b1a7c022a496dc035eadfd418e7d6668e1406de1716059952d8da302af4777fe64