Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 13:31

General

  • Target

    2024-10-11_34bc4b258d570831737f598609bcccbc_wannacry.exe

  • Size

    5.0MB

  • MD5

    34bc4b258d570831737f598609bcccbc

  • SHA1

    fdcd9c9a8726ee712753e9fd9152a0894f1c42cb

  • SHA256

    b3dfea531c87023e2a9dbeb6591a0da765e218432fc8703e352cfaa56c2d36c6

  • SHA512

    3f5e36ecdedc838603519618533c9adcc4c89047840381624341a0181a091bc45dc7a34686ae087ea170e10a7dca331ca1b4560d945798b1136809dcb214a4f6

  • SSDEEP

    24576:2bLgddQhfdmMSirYbcMNgef0sX6SASk+RdhAdmv:2nAQqMSPbcBVQ6SAARdhnv

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3172) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-11_34bc4b258d570831737f598609bcccbc_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-11_34bc4b258d570831737f598609bcccbc_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2756
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2964
  • C:\Users\Admin\AppData\Local\Temp\2024-10-11_34bc4b258d570831737f598609bcccbc_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-11_34bc4b258d570831737f598609bcccbc_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    828658a827c964a7a084d62427d1612d

    SHA1

    cd6dc753cecef588d9729cc30980fe6e1092392c

    SHA256

    478741f89aaa28d008b159e10296d771f34654ddc179a494a3dd9f94d365b8b6

    SHA512

    aeaf012657450eede6cdadffcebb808a727b592c6cd954eadb8dc29bbb860ee615bf3e1bebef2a9e530a274b902e91bcfa41e996ce0ba27d77fdad620a9b4544