Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-09-2024 22:02

General

  • Target

    20240923805037e703c6da6193619e142ab5814ewannacry.exe

  • Size

    5.0MB

  • MD5

    805037e703c6da6193619e142ab5814e

  • SHA1

    a665331fe49d17b030d02e4010d592154e031ab4

  • SHA256

    644e69842dc717c1e7a0266071840a1506716b0b60510af1be22c8b01ef5dda3

  • SHA512

    5de8249b7b7d9b035c10b8d42aad3cbc32b1aab033c45b2f6a1787a496748cb79a360af7dcc681e804b97c90a736ee7f232fe0496d751683c7bc36c71e35a71b

  • SSDEEP

    49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:yDqPoBhz1aRxcSUDk36SAEdhvxWa9

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3168) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240923805037e703c6da6193619e142ab5814ewannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\20240923805037e703c6da6193619e142ab5814ewannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:1860
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2860
  • C:\Users\Admin\AppData\Local\Temp\20240923805037e703c6da6193619e142ab5814ewannacry.exe
    C:\Users\Admin\AppData\Local\Temp\20240923805037e703c6da6193619e142ab5814ewannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1028

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    8522ece13c657d22f3a53f57a36ec1fc

    SHA1

    a4abf0cbf76842de47b6cb6cd47fc7a3cb36dc3b

    SHA256

    46a6db41a9539d9aab67ab625bdbb4bb71533d7bb2e912c8f7dd91c87bf1854f

    SHA512

    591ee1153a59eb816fb715d2f425b8346042a095575c8af25e1bcf0c9b5b852dc69fa83682be6a2839782d2cf92b457767fefd5954a4f88172df5d70ddcdda55