Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24-09-2024 17:17

General

  • Target

    20240924451397223f679cdf2d124d4cb2b92375wannacry.exe

  • Size

    5.0MB

  • MD5

    451397223f679cdf2d124d4cb2b92375

  • SHA1

    f4ebd900f995f8f1cf24eaca61380076938431ab

  • SHA256

    451ef61eb01255686f9b1fddae48de775ca86debe73fc0d61edd9d75c2d3559f

  • SHA512

    e895abefcc1657f67ae28b60cdff8f1bc4423026119274e53d488f5685e278d0d2c30c5c693e052f72d3d3ba0376c5c030227e2ceb9a41da2937b0028110a534

  • SSDEEP

    49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:yDqPoBhz1aRxcSUDk36SA

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3331) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240924451397223f679cdf2d124d4cb2b92375wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\20240924451397223f679cdf2d124d4cb2b92375wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2724
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2608
  • C:\Users\Admin\AppData\Local\Temp\20240924451397223f679cdf2d124d4cb2b92375wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\20240924451397223f679cdf2d124d4cb2b92375wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    dda19d185d24135d056385eddde66112

    SHA1

    5df4808a0486b77967524922649e418453eb28dc

    SHA256

    60e2e5ea3fb4c34e69571aa68c80ace8a365721954320765bae955744fe9e2d7

    SHA512

    ce0202f8f074d4b024e8963f5766ad60be509ac4ea2cb17697b620e551b1375d942554537a272a5c91687e3a19a3e6d8d94e483a61e9e7446b86d04214cd7ec2