Resubmissions

26-09-2024 23:37

240926-3l6f3stfmq 10

02-09-2024 23:31

240902-3h3k1s1gka 10

Analysis

  • max time kernel
    35s
  • max time network
    38s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-09-2024 23:37

General

  • Target

    2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe

  • Size

    2.2MB

  • MD5

    30530f95e73bb03e52eb2554996d509a

  • SHA1

    8178d0f442b3b186f1e0da15c4524bb044cec6f4

  • SHA256

    5ef8d0008552e723697e9164c8da769099c2833a2fa795208038eb2e1982f94a

  • SHA512

    32f2acf1b2236a7b015016790d7de21d1f36e18a53817c9b4c496a7114e0312033d064e0dcb477e7281936715402e14a3b6698239b6b5991cf9b2bde3054c3ef

  • SSDEEP

    49152:QnpzMSPbcBVQej/1INgwuqzgX8knK4JKARp:QpzPoBhz1ay

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 20 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:3208
  • C:\Users\Admin\AppData\Local\Temp\2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-02_30530f95e73bb03e52eb2554996d509a_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4204
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:8
    1⤵
      PID:3848
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2280-3-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-2-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-1-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-13-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-12-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-11-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-10-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-9-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-8-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB

    • memory/2280-7-0x0000016CFE780000-0x0000016CFE781000-memory.dmp

      Filesize

      4KB