Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2024 23:56

General

  • Target

    2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe

  • Size

    3.6MB

  • MD5

    4d85f13ff14542b7f041e02af35a05d9

  • SHA1

    93988c5a2345029acb47e72151184a9499bdb06e

  • SHA256

    0752c147b93fb4c1bfb8fcbb2fa10d51d6d39e2dda08d0b531f20ec875854a92

  • SHA512

    8eddf1e6a1f5e537c2f15b20feb6c5dc8819d93b77f02a6ee82e2e409fc3111f27dfd5deba58787f265704136734db1ca82e6f4252b0afd1324ad7bc593b4184

  • SSDEEP

    98304:ZDqPoBhz1aRxcSUDkA6SAEdhvxWa9C93R8yAVp2HI:ZDqPe1CxcxkAZAEUamR8yc4HI

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3169) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:3032
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:320
  • C:\Users\Admin\AppData\Local\Temp\2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-10_4d85f13ff14542b7f041e02af35a05d9_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    e11c972f9c565b12a4d2220d47483b82

    SHA1

    51cb4bf34488ce4f60a0f8696eab692ea9ed4cae

    SHA256

    ee85e2151059f52333bec7cc0f72cf24d8324aea64924263da5803c776879f61

    SHA512

    a13aeced6e82461e0ac9939ea602ef92a14e33cfe29374de750fd8d179b5db61b2adee29bdd5177fc6e0c4ec9a122e21f790ace1c4be224b60c71eb0f51bc843