Resubmissions

24-09-2024 02:40

240924-c5zvjasfkk 10

23-09-2024 23:22

240923-3chzesvdla 10

Analysis

  • max time kernel
    55s
  • max time network
    55s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24-09-2024 02:40

General

  • Target

    2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe

  • Size

    2.2MB

  • MD5

    46b8d560dee5cd5fd46ba9abbe06f2d4

  • SHA1

    836b82cf7f134b1e9d52953cb225df0bcea23c36

  • SHA256

    c99e03c5168c25779aef710daf2a90297cc92d8a1a9e68338e39a1534fc03477

  • SHA512

    14449382b2b6f3664285fd408ad544d8d3385b690ed01db926cd04cca7ea226081132877dc09f4827d835e1364e1b4f799c53cdde1674db6095241335fd74562

  • SSDEEP

    12288:e1bLgPluxQhMbaIMu7L5NVErCA46Uy7ckPU82900Ve7zw+K+DH:QbLgdeQhfdmMS6UacMNgef0Q

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (682) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:4428
  • C:\Users\Admin\AppData\Local\Temp\2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe -m security
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1376
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\JoinGrant.xlsx"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3192
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2072

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      373B

      MD5

      1c62ccfb80dad513e8233208582dd5f8

      SHA1

      48407247683c405344d99620df6f18cdbb6f6c6e

      SHA256

      d36f68898df443786712bf66cc2d252c720bc80ee5f844bfdd6015b8cab576bf

      SHA512

      da937f672ee5abee674b814555de8d404e463652be8cf4159fab03aaacd830a142a5cc23590eef8991e6bdadc921bcadc539e27a4449d5666a96393b2fdce4eb

    • memory/3192-16-0x00007FFA41B40000-0x00007FFA41B50000-memory.dmp

      Filesize

      64KB

    • memory/3192-50-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-6-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-4-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-9-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-8-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-10-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-7-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-11-0x00007FFA41B40000-0x00007FFA41B50000-memory.dmp

      Filesize

      64KB

    • memory/3192-12-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-53-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-5-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-3-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-14-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-15-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-2-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-17-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-18-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB

    • memory/3192-1-0x00007FFA84563000-0x00007FFA84564000-memory.dmp

      Filesize

      4KB

    • memory/3192-52-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-51-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-0-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-49-0x00007FFA44550000-0x00007FFA44560000-memory.dmp

      Filesize

      64KB

    • memory/3192-13-0x00007FFA844C0000-0x00007FFA846C9000-memory.dmp

      Filesize

      2.0MB