Analysis
-
max time kernel
55s -
max time network
55s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-09-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe
Resource
win11-20240802-en
General
-
Target
2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe
-
Size
2.2MB
-
MD5
46b8d560dee5cd5fd46ba9abbe06f2d4
-
SHA1
836b82cf7f134b1e9d52953cb225df0bcea23c36
-
SHA256
c99e03c5168c25779aef710daf2a90297cc92d8a1a9e68338e39a1534fc03477
-
SHA512
14449382b2b6f3664285fd408ad544d8d3385b690ed01db926cd04cca7ea226081132877dc09f4827d835e1364e1b4f799c53cdde1674db6095241335fd74562
-
SSDEEP
12288:e1bLgPluxQhMbaIMu7L5NVErCA46Uy7ckPU82900Ve7zw+K+DH:QbLgdeQhfdmMS6UacMNgef0Q
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (682) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3192 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE 3192 EXCEL.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4428
-
C:\Users\Admin\AppData\Local\Temp\2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-09-23_46b8d560dee5cd5fd46ba9abbe06f2d4_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
PID:1376
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\JoinGrant.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3192
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2072
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373B
MD51c62ccfb80dad513e8233208582dd5f8
SHA148407247683c405344d99620df6f18cdbb6f6c6e
SHA256d36f68898df443786712bf66cc2d252c720bc80ee5f844bfdd6015b8cab576bf
SHA512da937f672ee5abee674b814555de8d404e463652be8cf4159fab03aaacd830a142a5cc23590eef8991e6bdadc921bcadc539e27a4449d5666a96393b2fdce4eb