Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-09-2024 14:33
Static task
static1
Behavioral task
behavioral1
Sample
2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe
Resource
win10v2004-20240802-en
General
-
Target
2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe
-
Size
3.6MB
-
MD5
782d9f15fc707dc0b15de3a9857dbda0
-
SHA1
bdcdb8b66f769abb78ca323a9b14a71a7cc6d583
-
SHA256
012b4742fe2f04d4fc828a3ed307e03d512f743063ca5dd0ab2aec93beed93e4
-
SHA512
042dffd982dd3d1d69f10c44881c658d5e3c2486b69e39d4845b6d84b0760eb11f674295233a0e224bb4fdab2f73afcbe85a1eeedeec42f40424b550774949f5
-
SSDEEP
49152:VnjrE/bcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:Z34oBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3231) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 2692 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2676 2692 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2636 wrote to memory of 2692 2636 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe 32 PID 2636 wrote to memory of 2692 2636 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe 32 PID 2636 wrote to memory of 2692 2636 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe 32 PID 2636 wrote to memory of 2692 2636 2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe 32 PID 2692 wrote to memory of 2676 2692 tasksche.exe 33 PID 2692 wrote to memory of 2676 2692 tasksche.exe 33 PID 2692 wrote to memory of 2676 2692 tasksche.exe 33 PID 2692 wrote to memory of 2676 2692 tasksche.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 363⤵
- Program crash
PID:2676
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-09-27_782d9f15fc707dc0b15de3a9857dbda0_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5764b90f76074ad06b589c69f6e65fc36
SHA1d42c9d1510a007f4289f98e86309e076fc2499db
SHA2563b2edfff7b8ad08c31f303e22cc87ee3c5baedc029cabbb78f71bbebee52998e
SHA5124a553168a362f7a99111b3dca705698e4279e734378a24716ad5a00625996b4565c563c01d5b258d9c467f8a15289e8659451ba2c78dded6d58afcdafedaccaa