Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25-09-2024 10:08

General

  • Target

    2024-09-25_fe5072ac417a83f57144ba1d495978dc_wannacry.exe

  • Size

    5.0MB

  • MD5

    fe5072ac417a83f57144ba1d495978dc

  • SHA1

    f603a57fccd345ec07aaa222296215a0a89b5fb4

  • SHA256

    87b999f41b6503e280b7ab292737de2fb2cf0b35da1e02cbfafde20671690dad

  • SHA512

    47811d8cdc9114d6001c3793ac36ae91fd400584c4a7c34c0ee186fda136a7a891effa609a53c7d47cdff247f4c1bb77c3c881b6580737ab54b47b549a52d6a2

  • SSDEEP

    49152:XnAQqMSPbcBVQej/1INfrHV7YoG/QCnV:XDqPoBhz1a1Yod8V

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3232) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-25_fe5072ac417a83f57144ba1d495978dc_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-25_fe5072ac417a83f57144ba1d495978dc_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2300
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2616
  • C:\Users\Admin\AppData\Local\Temp\2024-09-25_fe5072ac417a83f57144ba1d495978dc_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-25_fe5072ac417a83f57144ba1d495978dc_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    ab90881823d87e12a08623f1e399c87e

    SHA1

    1b5033e30054b889b904903f5cf65c1df7ee1ce5

    SHA256

    2a240614f3eb2d8b0024d67c6161301d1fbb21f529712c04346857c5afd49a99

    SHA512

    2fc410f29ae5a6fff150d290a46abfd7ea1f6c16167be8ebdfed309820185436e0bd3cf31bbdf3883fbf78e5cf0c505e9073eab9b4f1c462f9205e04f9ea1241