Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 13:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe
-
Size
3.8MB
-
MD5
6b3cf1cf7edd3e1df67d739f6a0f5c1f
-
SHA1
4437078cc223b90f3ee8d0e46a66af89d2a47fe5
-
SHA256
6077ff43c83a2f3d1a8a6d988749ac4c1b96a05f8f5065b963ea950d1bd43d67
-
SHA512
677a34d6a285557f2144aff822a78afe7098490152dde865ad33ca4de71489fc73809b3475142aac1489f67c363fb14c14747ce5b900bb2215f0976f0240f626
-
SSDEEP
49152:unsEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxiHgYk6:asyfBhz1aRxcSUDk36SAEdhvxiHgYk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2259) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\npf.sys 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\drivers\npf.sys 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe -
resource yara_rule behavioral2/files/0x000a000000023b9d-13.dat aspack_v212_v242 behavioral2/files/0x000a000000023b9e-18.dat aspack_v212_v242 behavioral2/files/0x000b000000023b9c-21.dat aspack_v212_v242 -
Executes dropped EXE 2 IoCs
pid Process 3708 CTFMON.EXE 4184 tasksche.exe -
Loads dropped DLL 5 IoCs
pid Process 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\write.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\net.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\PING.EXE 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\vidcap.ax 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\html.iec 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\remotesp.tsp 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\sethc.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\de 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\dpnsvr.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\edpnotify.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\fsutil.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\sru 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\ar-SA 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\FxsTmp 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\LaunchWinApp.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\pt-PT 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\find.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\setup16.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\SndVol.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\stdole32.tlb 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\clip.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\compmgmt.msc 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\doskey.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\msacm32.drv 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\ARP.EXE 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\gb2312.uce 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\kanji_1.uce 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\wlanext.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\compact.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\userinit.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesHardware.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\TokenBrokerCookies.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\EaseOfAccessDialog.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\lusrmgr.msc 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\notepad.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\sv-SE 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\boot.sdi 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\control.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\OpenWith.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\hh.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\Taskmgr.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\BackgroundTransferHost.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\getmac.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\NetCfgNotifyObjectHost.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\SecurityAndMaintenance.png 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\systray.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\diskperf.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\fontdrvhost.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\mode.com 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\rasphone.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\where.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\el-GR 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\en-GB 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\RestartManagerUninstall.mof 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\sysprep 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\XPSViewer 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\Dism.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\es-MX 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\hidphone.tsp 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\SysWOW64\srdelayed.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-Zip\History.txt CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\Lang CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\License.txt CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\7z.sfx CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\7zCon.sfx CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\7zG.exe CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\descript.ion CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\readme.txt CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\Uninstall.exe CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\7-zip.chm CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\7z.exe CTFMON.EXE File opened for modification C:\PROGRAM FILES\7-Zip\7zFM.exe CTFMON.EXE -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\pthreadvc.dll 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\packet.dll 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File opened for modification C:\Windows\CTFMON.EXE 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\pthreadvc.dll 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\packet.dll 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\eee.exe tasksche.exe File created C:\Windows\wpcap.dll 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\CTFMON.EXE 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\wpcap.dll 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\CTFMON.EXE 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe File created C:\Windows\__tmp_rar_sfx_access_check_240659765 tasksche.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTFMON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2720 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe 2720 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE 3708 CTFMON.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3708 CTFMON.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2720 wrote to memory of 3708 2720 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe 84 PID 2720 wrote to memory of 3708 2720 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe 84 PID 2720 wrote to memory of 3708 2720 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe 84 PID 2720 wrote to memory of 4184 2720 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe 90 PID 2720 wrote to memory of 4184 2720 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe 90 PID 2720 wrote to memory of 4184 2720 2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe"1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\CTFMON.EXEC:\Windows\CTFMON.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3708
-
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4184
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-10-11_6b3cf1cf7edd3e1df67d739f6a0f5c1f_wannacry.exe -m security1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD5b85ab3087e8430a4fa18555ac68be3a9
SHA1a92b15d409c2a5f8ce09c336f34cb0d7e5cb2036
SHA256eff8d49ade3bc01557b322e2d181a0e5fdc30176f8977a06e2ce42af82ed0d55
SHA5122d059ee0b03007c93f9d5485733627f13d21512295898c1a9dca58af2d7b7ee966f35f3f91fa111c4e3d90162c16b55e15d18c7e0c60912bb67cf345715fd34a
-
Filesize
40.4MB
MD5b0593164693b1a91313c2a1ac3bf379e
SHA1f3c822d0280867a8e1ee214763813c1464d1fdaa
SHA25602e2aa4348da12b7667b72eccf8126d2138cc68f2e95afcca270487e0720e5be
SHA512c2ea5be2d94759740e8cb6e21e865820daefc798a597513766de24eec9a09117a7c7d38fac022848e0ae3d1e9d022aeeac0ef5974dd5b8cb962c57e6ca76a08e
-
Filesize
255KB
MD52610e06d8debb6e3e91fa3d3ff93bf1d
SHA15a1e2f228da18ee70dc5aa013d0cb78f9f1b3743
SHA256336fefc7b77b11d3012722fdc023b171d630a518fdd0d75ef062a37a19a7acf3
SHA512cd519875f53b3967b88d8a73aab2aa65b44c8c761217952d62fa5228bb58eb19f4c3e331c9c6df698eb4e6b3350e66dab1109884d678a97515c9982a54ff22af
-
Filesize
29KB
MD55c14de7d04d00aac3f03b569f2ea4664
SHA1a26ae78a204791548be000824a1ad05524bdd2e8
SHA256fac5bcebde87a261b4fb5a110765e53c96f0ef27b24ca94762f2c2ddb4da4204
SHA5124bcbc4f0ab7b52f4303206fafd9d0bafea02bb25d8395a80eb6390b30ccc750379fb7fe9e0bf5a4a025cedb9e4702b7655963e360f2f983526dbc2e1efaa814f
-
Filesize
32KB
MD5f46c27d67c0ce202ebf4b771cb56ec00
SHA1f999454d0aaabccfda7a50c8cb0818e50a7a1d91
SHA256a68c877cd9c7562c66c722b4d0cd9fa366c65465d4c47ab63bf28bd5f1a69bcc
SHA5122b7c6f7e865f88625a05c85226a95319656648029ef1c1b92b3a6c2dea7a4f7cf7d157c09af32c8689c76c6247852cd5af72d4f0dbb4dbcc3fe3c24681d53dbf
-
Filesize
24KB
MD5ea20ca545a351384486cef574b7a5571
SHA1a1f01df09df62e933e4ff289361641b06ff31548
SHA2562bd8d9dd8739e17828f8a87b73d592d4fd17988bbb0ea4a4d4cbda57129e8e48
SHA51264b3dee275fb1830254fa2a95778b26864708c0b5e348cf5919ded013cda3872fe26304c846fa7968b24f60e2b6105c4813ff9e695bd6bb52897318cdecd382b
-
Filesize
2.0MB
MD5beb8a27fc024962e045c32aa58d07d0e
SHA1796d3613673f323135865c42272abef347add163
SHA256ea2ad4d3bb98673b88e18eea1bf06c371c206b64246a9193b2a64ba4fe4f4900
SHA512e84c03f6f4399b28e0d258b743831f36c621325d9b199cbbdd6982ed51280facfc5a953a2393788bbc54efb653f95c9f75ea29c93c147c9227aff3395f788179
-
Filesize
117KB
MD56d79c447d16b96e7a72b12e450b6fa8e
SHA1d2afa5eb9c9ba598f82a6025c1a07d31cb8a30bb
SHA256afe533c6990520d49a4963bb9ce6d563b02d7b299ff4a9c9e4bca31ca6920deb
SHA5126b96c6e79608256807f37a4b74b264074274642b4e4e09ef870d13246b7706582535c1e4f33f2a61281ab4c0ef59fc03c60a54faa6627aee92df52f356b8d966