Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 15:26
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe
-
Size
2.4MB
-
MD5
1d7c6e871159b6b01072cebe683b955a
-
SHA1
dcf5f38e71aec895fc1c9f97548daf7201fc7275
-
SHA256
d13f287506b003c20bc36ef96e67b335869b11d88ead5d7e6ec14e2b0366912d
-
SHA512
47678355c11c7552dccebafafac5cda705169bde83d0bbc165dffdb73c22423686848e700cd8236f2b5e5baf5973f9e17eb4eafe30b7f24e277ca40a649dcb3b
-
SSDEEP
49152:7npEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhnvXiHgYk6:LpyfBhz1aRxcSUDk36SAEdhvXiHgYk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2392) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\npf.sys 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\drivers\npf.sys 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe -
resource yara_rule behavioral2/files/0x000a000000023b7f-19.dat aspack_v212_v242 behavioral2/files/0x000a000000023b7e-25.dat aspack_v212_v242 behavioral2/files/0x000a000000023b80-24.dat aspack_v212_v242 -
Executes dropped EXE 3 IoCs
pid Process 2584 sysmgr.exe 3460 CTFMON.EXE 3568 tasksche.exe -
Loads dropped DLL 5 IoCs
pid Process 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: sysmgr.exe File opened (read-only) \??\G: sysmgr.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4" sysmgr.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\rekeywiz.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\ByteCodeGenerator.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\es-MX 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\msctfime.ime 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\OpenWith.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\Windows.Media.BackgroundPlayback.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\mpg2splt.ax 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\F12 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\InputSwitchToastHandler.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\it-IT 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\RdpSaProxy.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\WF.msc 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\fi-FI 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\FxsTmp 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\netsh.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\migwiz 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\runas.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\rundll32.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\cacls.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\convert.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\GameBarPresenceWriter.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\tar.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\et-EE 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\ieUnatt.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\LaunchTM.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\PackagedCWALauncher.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\printui.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\sysprtj.sep 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\user.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\bopomofo.uce 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\hdwwiz.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\iscsicpl.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\wscript.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\resmon.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\ro-RO 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\attrib.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\diskperf.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\msra.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\Nui 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\sdiagnhost.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\svchost.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\wdmaud.drv 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\@AudioToastIcon.png 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\Dism.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\dllhst3g.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\xcopy.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\efsui.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\msacm32.drv 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\proquota.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\agentactivationruntimestarter.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\eudcedit.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\kmddsp.tsp 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\cmdl32.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\ntprint.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\AtBroker.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\lusrmgr.msc 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\spp 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\msadp32.acm 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\mshta.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\SysWOW64\perfmon.msc 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe sysmgr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe sysmgr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe sysmgr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe sysmgr.exe File opened for modification C:\Program Files\7-Zip\7zG.exe sysmgr.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe sysmgr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe sysmgr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe sysmgr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe sysmgr.exe File opened for modification C:\PROGRAM FILES\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Program Files\7-Zip\7z.exe sysmgr.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe sysmgr.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\sysmgr.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\eee.exe tasksche.exe File created C:\Windows\sysmgr.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\pthreadvc.dll 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\packet.dll 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\__tmp_rar_sfx_access_check_240643078 tasksche.exe File created C:\Windows\conf.dat sysmgr.exe File created C:\WINDOWS\tasksche.exe 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\CTFMON.EXE 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File opened for modification C:\Windows\conf.dat sysmgr.exe File created C:\Windows\CTFMON.EXE 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\pthreadvc.dll 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\packet.dll 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\wpcap.dll 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\CTFMON.EXE 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\svc.dat 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe File created C:\Windows\wpcap.dll 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CTFMON.EXE -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE 3460 CTFMON.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3460 CTFMON.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 704 wrote to memory of 2584 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 83 PID 704 wrote to memory of 2584 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 83 PID 704 wrote to memory of 2584 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 83 PID 704 wrote to memory of 3460 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 86 PID 704 wrote to memory of 3460 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 86 PID 704 wrote to memory of 3460 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 86 PID 704 wrote to memory of 3568 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 96 PID 704 wrote to memory of 3568 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 96 PID 704 wrote to memory of 3568 704 2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe"1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\sysmgr.exe"C:\Windows\sysmgr.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2584
-
-
C:\Windows\CTFMON.EXEC:\Windows\CTFMON.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3460
-
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3568
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe -m security1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40.4MB
MD5e9fc6b5fec814b068f611dbce204f631
SHA17c85393e6e0cd446ee981fcb322be8c7cb86231b
SHA256546379208b734444eb991bee7ced30d4dc0881f5e37c5674baabf6c1f1f1d95a
SHA51264895d20b5f2447c26a4c3557e2e872eb9108ffaeb1ce34d503d0e4c6e2fbbcac70a755b1f7ee65ec4de951148eb5f9d2346d69c3e7340e35f4984afef90419c
-
Filesize
255KB
MD572873f4751bb634959daf19071eac873
SHA1997b4965ce18c1173b5e7bd9064b8f479da23cd4
SHA256fbe6aa7200069f404a577c71ec485739fc8bd3c464b5b08efb8634ccb8f802f4
SHA512d3a45e05a042007413a5d928b54b7d44dd597d3a6a00bfe1255c61fec371cd26376e0ab036708d9ce38f4cc2f416c7f85353249047563e9173e8ded545417d68
-
Filesize
29KB
MD55c14de7d04d00aac3f03b569f2ea4664
SHA1a26ae78a204791548be000824a1ad05524bdd2e8
SHA256fac5bcebde87a261b4fb5a110765e53c96f0ef27b24ca94762f2c2ddb4da4204
SHA5124bcbc4f0ab7b52f4303206fafd9d0bafea02bb25d8395a80eb6390b30ccc750379fb7fe9e0bf5a4a025cedb9e4702b7655963e360f2f983526dbc2e1efaa814f
-
Filesize
39B
MD58bb0b4f69609d6a0c8dc89dca56b3f01
SHA1ea3e1e01db3aeae1d0632bfbda969393fde69c25
SHA25667aafceb6d0437ec07570cf33eeb6de7ebafc2090066c30d072dc7f9421fe783
SHA5127425f57d55bf64067fc4a1a6daac9d9b3a321be9fef1c1e60ee650d08d24cff577f760eb23b205d0e03ba3dbc75fdd5ba05e13c66c5a9b07cfe9ec3dec6ad50d
-
Filesize
32KB
MD5f46c27d67c0ce202ebf4b771cb56ec00
SHA1f999454d0aaabccfda7a50c8cb0818e50a7a1d91
SHA256a68c877cd9c7562c66c722b4d0cd9fa366c65465d4c47ab63bf28bd5f1a69bcc
SHA5122b7c6f7e865f88625a05c85226a95319656648029ef1c1b92b3a6c2dea7a4f7cf7d157c09af32c8689c76c6247852cd5af72d4f0dbb4dbcc3fe3c24681d53dbf
-
Filesize
24KB
MD5ea20ca545a351384486cef574b7a5571
SHA1a1f01df09df62e933e4ff289361641b06ff31548
SHA2562bd8d9dd8739e17828f8a87b73d592d4fd17988bbb0ea4a4d4cbda57129e8e48
SHA51264b3dee275fb1830254fa2a95778b26864708c0b5e348cf5919ded013cda3872fe26304c846fa7968b24f60e2b6105c4813ff9e695bd6bb52897318cdecd382b
-
Filesize
2KB
MD5c201c6a2b4a1be50af9a6389c7af81ff
SHA12044ff7087b2f00a1bb31b23b78f8d04b258031c
SHA25666f484a02af1154b245f3c20584050621fecf4f779d4e0e999e6187b61c7fa55
SHA512da2167f93b789cd1ad8ce4ab7e82e3daddb41cd0e840d7b7f4ecf3d5ee955699f4213b14dfc4d15c66a262f8c06ab70dd44b6f6e8a958338baa46a19ff80bae6
-
Filesize
36KB
MD52373dfbdba70b54164d4fe163f7f59f1
SHA1fbc51778f9e4868ddce4763d0bef4cb48090e3f6
SHA256e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456
SHA51232e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec
-
Filesize
2.0MB
MD5beb8a27fc024962e045c32aa58d07d0e
SHA1796d3613673f323135865c42272abef347add163
SHA256ea2ad4d3bb98673b88e18eea1bf06c371c206b64246a9193b2a64ba4fe4f4900
SHA512e84c03f6f4399b28e0d258b743831f36c621325d9b199cbbdd6982ed51280facfc5a953a2393788bbc54efb653f95c9f75ea29c93c147c9227aff3395f788179
-
Filesize
117KB
MD56d79c447d16b96e7a72b12e450b6fa8e
SHA1d2afa5eb9c9ba598f82a6025c1a07d31cb8a30bb
SHA256afe533c6990520d49a4963bb9ce6d563b02d7b299ff4a9c9e4bca31ca6920deb
SHA5126b96c6e79608256807f37a4b74b264074274642b4e4e09ef870d13246b7706582535c1e4f33f2a61281ab4c0ef59fc03c60a54faa6627aee92df52f356b8d966