Analysis
-
max time kernel
35s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 23:37
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe
-
Size
2.2MB
-
MD5
30530f95e73bb03e52eb2554996d509a
-
SHA1
8178d0f442b3b186f1e0da15c4524bb044cec6f4
-
SHA256
5ef8d0008552e723697e9164c8da769099c2833a2fa795208038eb2e1982f94a
-
SHA512
32f2acf1b2236a7b015016790d7de21d1f36e18a53817c9b4c496a7114e0312033d064e0dcb477e7281936715402e14a3b6698239b6b5991cf9b2bde3054c3ef
-
SSDEEP
49152:QnpzMSPbcBVQej/1INgwuqzgX8knK4JKARp:QpzPoBhz1ay
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2280 taskmgr.exe Token: SeSystemProfilePrivilege 2280 taskmgr.exe Token: SeCreateGlobalPrivilege 2280 taskmgr.exe -
Suspicious use of FindShellTrayWindow 20 IoCs
pid Process 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe -
Suspicious use of SendNotifyMessage 20 IoCs
pid Process 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe 2280 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3208
-
C:\Users\Admin\AppData\Local\Temp\2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:81⤵PID:3848
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2280