Overview

overview

10

Static

static

3

20240930b4...ry.exe

windows7-x64

10

20240930b4...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-09-2024 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20240930b4d5ea873fbaf9cc990201d655cf29b7wannacry.exe

  • Size

    5.0MB

  • MD5

    b4d5ea873fbaf9cc990201d655cf29b7

  • SHA1

    c3216832afe89b5fd71398d6a7d4e3af296a5bc0

  • SHA256

    15fa0ccc45e6774c54205fc9c88d47056a7f8468f2f20f81d76e7817c8c6c851

  • SHA512

    5a8084493a79db6850abfde1055908c3906e6244b99eb33cd267b399e1e7f7a1eca194db951f61ffd544c3ff667cc5ba8732cdfe98562026a31d3eb6a4c96563

  • SSDEEP

    49152:hnpEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhnvYiHgYk6:FpyfBhz1aRxcSUDk36SAEdhvYiHgYk

Score
10/10
wannacryaspackv2discoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (2103) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Drivers directory 2 IoCs
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 12 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240930b4d5ea873fbaf9cc990201d655cf29b7wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\20240930b4d5ea873fbaf9cc990201d655cf29b7wannacry.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\Windows\CTFMON.EXE
      C:\Windows\CTFMON.EXE
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2580
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1760
  • C:\Users\Admin\AppData\Local\Temp\20240930b4d5ea873fbaf9cc990201d655cf29b7wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\20240930b4d5ea873fbaf9cc990201d655cf29b7wannacry.exe -m security
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\CTFMON.EXE
    Filesize

    255KB

    MD5

    a8ec13a62127ea9c3dd3b61e253a57a1

    SHA1

    4e485cf82756724d554f527ed551af085a431486

    SHA256

    f2b7038d44d62e8129d92dfb15f29512b74ae78f57a01eec1d8a8ed091150e86

    SHA512

    2ae1dd2fd87f7f7dfb49d26a44964dcbe85f90c26ee5d8b0581c1f64f636bf5062ddbacf60cc99bbc72a5839ce6b62c88e4da4d6572790af8252680dcda22319

    Download Submit

  • C:\Windows\SysWOW64\drivers\npf.sys
    Filesize

    29KB

    MD5

    5c14de7d04d00aac3f03b569f2ea4664

    SHA1

    a26ae78a204791548be000824a1ad05524bdd2e8

    SHA256

    fac5bcebde87a261b4fb5a110765e53c96f0ef27b24ca94762f2c2ddb4da4204

    SHA512

    4bcbc4f0ab7b52f4303206fafd9d0bafea02bb25d8395a80eb6390b30ccc750379fb7fe9e0bf5a4a025cedb9e4702b7655963e360f2f983526dbc2e1efaa814f

    Download Submit

  • C:\Windows\packet.dll
    Filesize

    32KB

    MD5

    f46c27d67c0ce202ebf4b771cb56ec00

    SHA1

    f999454d0aaabccfda7a50c8cb0818e50a7a1d91

    SHA256

    a68c877cd9c7562c66c722b4d0cd9fa366c65465d4c47ab63bf28bd5f1a69bcc

    SHA512

    2b7c6f7e865f88625a05c85226a95319656648029ef1c1b92b3a6c2dea7a4f7cf7d157c09af32c8689c76c6247852cd5af72d4f0dbb4dbcc3fe3c24681d53dbf

    Download Submit

  • C:\Windows\pthreadvc.dll
    Filesize

    24KB

    MD5

    ea20ca545a351384486cef574b7a5571

    SHA1

    a1f01df09df62e933e4ff289361641b06ff31548

    SHA256

    2bd8d9dd8739e17828f8a87b73d592d4fd17988bbb0ea4a4d4cbda57129e8e48

    SHA512

    64b3dee275fb1830254fa2a95778b26864708c0b5e348cf5919ded013cda3872fe26304c846fa7968b24f60e2b6105c4813ff9e695bd6bb52897318cdecd382b

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    2.0MB

    MD5

    beb8a27fc024962e045c32aa58d07d0e

    SHA1

    796d3613673f323135865c42272abef347add163

    SHA256

    ea2ad4d3bb98673b88e18eea1bf06c371c206b64246a9193b2a64ba4fe4f4900

    SHA512

    e84c03f6f4399b28e0d258b743831f36c621325d9b199cbbdd6982ed51280facfc5a953a2393788bbc54efb653f95c9f75ea29c93c147c9227aff3395f788179

    Download Submit

  • C:\Windows\wpcap.dll
    Filesize

    117KB

    MD5

    6d79c447d16b96e7a72b12e450b6fa8e

    SHA1

    d2afa5eb9c9ba598f82a6025c1a07d31cb8a30bb

    SHA256

    afe533c6990520d49a4963bb9ce6d563b02d7b299ff4a9c9e4bca31ca6920deb

    SHA512

    6b96c6e79608256807f37a4b74b264074274642b4e4e09ef870d13246b7706582535c1e4f33f2a61281ab4c0ef59fc03c60a54faa6627aee92df52f356b8d966

    Download Submit

  • memory/1792-22-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1792-54-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1792-13-0x00000000002B0000-0x000000000033F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/1792-12-0x00000000002B0000-0x000000000033F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/1792-0-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1792-32-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2580-17-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2580-25-0x0000000000590000-0x00000000005CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2580-23-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/2580-20-0x0000000000320000-0x0000000000330000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2580-18-0x0000000000590000-0x00000000005CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2580-14-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/2804-39-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2804-61-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2804-76-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2804-81-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2804-86-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2804-91-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2804-96-0x0000000000400000-0x0000000000944000-memory.dmp

    Filesize

    5.3MB

    Download