Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10-10-2024 23:56
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe
-
Size
3.6MB
-
MD5
4d85f13ff14542b7f041e02af35a05d9
-
SHA1
93988c5a2345029acb47e72151184a9499bdb06e
-
SHA256
0752c147b93fb4c1bfb8fcbb2fa10d51d6d39e2dda08d0b531f20ec875854a92
-
SHA512
8eddf1e6a1f5e537c2f15b20feb6c5dc8819d93b77f02a6ee82e2e409fc3111f27dfd5deba58787f265704136734db1ca82e6f4252b0afd1324ad7bc593b4184
-
SSDEEP
98304:ZDqPoBhz1aRxcSUDkA6SAEdhvxWa9C93R8yAVp2HI:ZDqPe1CxcxkAZAEUamR8yc4HI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3169) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 320 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D693B6FF-DAF6-41EC-86A2-DDB952AEF3B1}\WpadDecision = "0" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-1e-c8-33-1e-70\WpadDecisionReason = "1" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-1e-c8-33-1e-70\WpadDecision = "0" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D693B6FF-DAF6-41EC-86A2-DDB952AEF3B1}\WpadNetworkName = "Network 3" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D693B6FF-DAF6-41EC-86A2-DDB952AEF3B1}\WpadDecisionReason = "1" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D693B6FF-DAF6-41EC-86A2-DDB952AEF3B1}\e2-1e-c8-33-1e-70 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D693B6FF-DAF6-41EC-86A2-DDB952AEF3B1} 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-1e-c8-33-1e-70\WpadDecisionTime = a075d709701bdb01 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-1e-c8-33-1e-70 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0196000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D693B6FF-DAF6-41EC-86A2-DDB952AEF3B1}\WpadDecisionTime = a075d709701bdb01 2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3032 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:320
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2416
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5e11c972f9c565b12a4d2220d47483b82
SHA151cb4bf34488ce4f60a0f8696eab692ea9ed4cae
SHA256ee85e2151059f52333bec7cc0f72cf24d8324aea64924263da5803c776879f61
SHA512a13aeced6e82461e0ac9939ea602ef92a14e33cfe29374de750fd8d179b5db61b2adee29bdd5177fc6e0c4ec9a122e21f790ace1c4be224b60c71eb0f51bc843