wannacry | 7c445534a57d1b29a88ac2a2c518e2e54c282d1c2c626917b994943d68764605

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 00:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe
Size

3.6MB
MD5

4042dbc8f0fa33e970459a6e53b6773e
SHA1

46866d7c274cb87403eb74df92115ac48b47a41a
SHA256

7c445534a57d1b29a88ac2a2c518e2e54c282d1c2c626917b994943d68764605
SHA512

87002468e79c5c88900bc0046c6ee1baca11f05b2609418d44a29751f53c7b74b6f40e344c7183a58c1534327244e30ab212843bcd674542fa0bc61f3c02dec2
SSDEEP

98304:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P5938:yDqPe1Cxcxk3ZAEUadz8

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
1136	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe

C:\Users\Admin\AppData\Local\Temp\202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe
"C:\Users\Admin\AppData\Local\Temp\202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2060
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:1136

C:\Users\Admin\AppData\Local\Temp\202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe
C:\Users\Admin\AppData\Local\Temp\202409274042dbc8f0fa33e970459a6e53b6773ewannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4468,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:8
1⤵
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
59c4d43b85ab448e60cd33bc840bb513

SHA1
45db77fb57ee401e2b8b9d0d65577b7c5f460e53

SHA256
3429e91c6d1e0b4937ba3968dcc3de0cf9c3d183e9e854c843e30449b2404bb6

SHA512
dfc74a6e482f099e9da7fe578320a9f5e8977ae2eb9ba5ca1d80114a8e61cb3f61c78c36d48070c9e9882f6388a166b6c823814e13f2011e5e14686fe692ac86

Download Submit