wannacry | 56797ba57bc37fe2bb8f7330577198555f0bf56d77413bf42e94a8b5d0814cc6

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe
Size

3.6MB
MD5

9901a660e1a3cdc16d92ba26a3973f91
SHA1

2e5fca353edd6839dcd3effbbc0327450471f82c
SHA256

56797ba57bc37fe2bb8f7330577198555f0bf56d77413bf42e94a8b5d0814cc6
SHA512

059172a78bef910787f44c02179b52a9b841fdeb101ad80ddd5d53cb962ee90f375d6e0e84437cb7c4f41777221a951ecad4af79ecb565e34b04a379fd965c2d
SSDEEP

49152:XnjQXej/1INRx+TSqTdX1HkQo6SAAZ0vZ6GIk:X8Oz1aRxcSUDk36SAc0B6GIk

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3263) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2036	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2036	2428	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe	31
PID 2428 wrote to memory of 2036	2428	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe	31
PID 2428 wrote to memory of 2036	2428	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe	31
PID 2428 wrote to memory of 2036	2428	202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe	31

C:\Users\Admin\AppData\Local\Temp\202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2036

C:\Users\Admin\AppData\Local\Temp\202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe
C:\Users\Admin\AppData\Local\Temp\202409279901a660e1a3cdc16d92ba26a3973f91wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5fdc7e8eea19b1b6789e0a935b94e00b

SHA1
1199939c48a39be28a1bc7b429c2e991a8e65c29

SHA256
d8019f16916e6006fef231ac9d64805bebf21b068daa301968a4b21afd2cb741

SHA512
afd588323d0af4ba6a414d51882de70af128fa5ecf65e5131e58013d4954a0761bde915d421cf2a0cb66f9d49beedf958adc7d94103220f07e0959c8fca14fce

Download Submit