Analysis
-
max time kernel
94s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2024 00:42
Behavioral task
behavioral1
Sample
2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
Resource
win7-20240903-en
windows7-x64
16 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
15 signatures
150 seconds
General
-
Target
2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe
-
Size
230KB
-
MD5
c47451e9db6bc856051f49f728e05e27
-
SHA1
3a6eae645c5c44ed2933aed3379ae6f7e1ab8331
-
SHA256
a29f7f16177b1aed8ad6b56dbe19763b9264734304cfc3db9b5c3ce77ea1e08f
-
SHA512
7a85e7bc7be2f71f799b918bd42dfbc6043ef6222b12ff6b7258bfeeadb38c4f3186ece742a589aa224292749fa66089faca161248b15793ae1a93975bde586a
-
SSDEEP
6144:QYr9AxLsirVD0GfhyvOhBpC81xmjuQmDbjoYl5m:ULNVDbfhygC81xFBDbj7m
Score
10/10
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
resource yara_rule behavioral2/memory/3516-1-0x0000000000E10000-0x0000000000E50000-memory.dmp family_chaos behavioral2/files/0x000800000002343a-6.dat family_chaos -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2824 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-523280732-2327480845-3730041215-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4z4ocv13r.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2824 svchost.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe 2824 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe Token: SeDebugPrivilege 2824 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 624 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3516 wrote to memory of 2824 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 82 PID 3516 wrote to memory of 2824 3516 2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-20_c47451e9db6bc856051f49f728e05e27_wannacry.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
230KB
MD5c47451e9db6bc856051f49f728e05e27
SHA13a6eae645c5c44ed2933aed3379ae6f7e1ab8331
SHA256a29f7f16177b1aed8ad6b56dbe19763b9264734304cfc3db9b5c3ce77ea1e08f
SHA5127a85e7bc7be2f71f799b918bd42dfbc6043ef6222b12ff6b7258bfeeadb38c4f3186ece742a589aa224292749fa66089faca161248b15793ae1a93975bde586a
-
Filesize
740B
MD5247fd138d3881e0b6135f930d272158a
SHA1e174a53071e17bc7983932636dca23d0fb46a0b8
SHA256cfe39d1892f95613ff09b68190f9077b62e09983bce24042e1cbd1fa29ccce9f
SHA51286accb04f72eff1842473440d30634e4fd86f239d78674e014d8a110d65bf56be8e81a9d07e2d6d8516aebb30329ce02bae59f35db2e638c88ab71689e353ae5