Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 01:18

General

  • Target

    2024-10-11_cc8585f79612fb22844c7a51c1114cf1_wannacry.exe

  • Size

    3.6MB

  • MD5

    cc8585f79612fb22844c7a51c1114cf1

  • SHA1

    e08744950c782b19f464a5c97c5080c44d454fab

  • SHA256

    710f1426e6c6b241a839f0786d9c1d9dfdab26d2ae2c9cb66deffecc86be18f8

  • SHA512

    042ec2728a13d4b865d508f1361f7c12b7299a8bc34da11854428a61dfe5d7735e9d7af2a4cc3dc0974f5d22fa97f05e12fa6c37a27c76e35b9e7026c227d0cb

  • SSDEEP

    49152:VnjQqMSPbcBVQej/1IudhnvXAMEcPA5HI:Z8qPoBhz1ldhvX5kHI

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3343) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-11_cc8585f79612fb22844c7a51c1114cf1_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-11_cc8585f79612fb22844c7a51c1114cf1_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:3520
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2568
  • C:\Users\Admin\AppData\Local\Temp\2024-10-11_cc8585f79612fb22844c7a51c1114cf1_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-11_cc8585f79612fb22844c7a51c1114cf1_wannacry.exe -m security
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    b29d4d674f68ad7beba6064838e0c48d

    SHA1

    1a938d3cf13b4e17c28a095d51532d28ae50fe66

    SHA256

    20c20defe5796ddbbc5c15ea660000a04ab1faf80c5edfa0031eca16d528afdb

    SHA512

    6bb61d07cf9a122c284dbbafb715ab2a32492c2a60a0257e801a00e02d7b6f5930ed1dd9d02c2d782bb9d3503946782c6b9b9e47d9915271567257411d15309e