Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2024 07:29

General

  • Target

    2024-09-18_89620df172874d59012e08b143bdc33c_wannacry.exe

  • Size

    2.2MB

  • MD5

    89620df172874d59012e08b143bdc33c

  • SHA1

    23df51e1c98ed0b1c0b850b71eb765adc8f30c25

  • SHA256

    2fce6704bfd3e8ec31fdf5ff69088c5f5b994330d296c6a30c01ec7204cf1c90

  • SHA512

    53e19f05c4a59c81335e4455b1328814e0b9f1591774d0f0cc2b844a1ea85e1fda3eccdd98733e1f3bd1842a94e391842317f5cc67357f69c2a79fe7a8e72962

  • SSDEEP

    49152:QnpEhPbcBVQej/1INRx+TSqTdX1HkQo6SAARdAqGi:QpOoBhz1aRxcSUDk36SAEdAHi

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3217) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-18_89620df172874d59012e08b143bdc33c_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-18_89620df172874d59012e08b143bdc33c_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2676
  • C:\Users\Admin\AppData\Local\Temp\2024-09-18_89620df172874d59012e08b143bdc33c_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-18_89620df172874d59012e08b143bdc33c_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\tasksche.exe

    Filesize

    2.0MB

    MD5

    55b334556f965ba7818da82affd63c6c

    SHA1

    cb766269d33789feb7c21e1abfe2b523a9b001cd

    SHA256

    44da49471483fd0b8d18d2ec2a6c1ec2ab107a0fd4c0da92d4083616972692aa

    SHA512

    2ab57be84c6d994041a74082451b265caab4738c670fbd43ee0fd1caacbb9f356e3fca9f1b2ea5056934333e9635c6a14ccce3bcd11bf6b896091cd55b47bbd3