Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-09-2024 22:53

General

  • Target

    2024-09-22_f3d461244caa4fa99eddb1bcd8f8e5f6_wannacry.exe

  • Size

    3.6MB

  • MD5

    f3d461244caa4fa99eddb1bcd8f8e5f6

  • SHA1

    a14aa0617df55e5ea36a377bfe1b1683f322b2ca

  • SHA256

    dadfa38538399402b9ad74be92ba2d63420a38ef565831e7828fc12ec5f13a8e

  • SHA512

    f2a632840c35e098cec82e61bbb79e07b9b278677b99c0a98cc1f32777948923475389b0bee4f1e5fb4c54f32f39f83b1e03ba7f8aa130b7d77612008bd8901b

  • SSDEEP

    49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S:yDqPoBhz1aRxcSUDk36S

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3294) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-22_f3d461244caa4fa99eddb1bcd8f8e5f6_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-22_f3d461244caa4fa99eddb1bcd8f8e5f6_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:1076
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2924
  • C:\Users\Admin\AppData\Local\Temp\2024-09-22_f3d461244caa4fa99eddb1bcd8f8e5f6_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-22_f3d461244caa4fa99eddb1bcd8f8e5f6_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    117c8579fbf9d712a4b883adecb0be5e

    SHA1

    c37f9b721b804a7b13898888b635f97910401369

    SHA256

    5faac8ff2211687c3d4e25d17393a308b1f720e6fa4763083de88411f83016d6

    SHA512

    0b404ecc4eedce02c6a982d3324ece4ac995bbdd4ca4b2557999ab6e43d66591228e3d18e1cd5735f48f429ab6a85715ec1f866a471e3b766d3cf794a2b5c600