Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 15:26

General

  • Target

    2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe

  • Size

    2.4MB

  • MD5

    1d7c6e871159b6b01072cebe683b955a

  • SHA1

    dcf5f38e71aec895fc1c9f97548daf7201fc7275

  • SHA256

    d13f287506b003c20bc36ef96e67b335869b11d88ead5d7e6ec14e2b0366912d

  • SHA512

    47678355c11c7552dccebafafac5cda705169bde83d0bbc165dffdb73c22423686848e700cd8236f2b5e5baf5973f9e17eb4eafe30b7f24e277ca40a649dcb3b

  • SSDEEP

    49152:7npEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhnvXiHgYk6:LpyfBhz1aRxcSUDk36SAEdhvXiHgYk

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (2392) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Drivers directory 2 IoCs
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 1 IoCs
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 17 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe"
    1⤵
    • Drops file in Drivers directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:704
    • C:\Windows\sysmgr.exe
      "C:\Windows\sysmgr.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies WinLogon
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:2584
    • C:\Windows\CTFMON.EXE
      C:\Windows\CTFMON.EXE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:3460
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:3568
  • C:\Users\Admin\AppData\Local\Temp\2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-11_1d7c6e871159b6b01072cebe683b955a_nymaim_wannacry.exe -m security
    1⤵
    • Drops file in Drivers directory
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\wctCBEB.tmp

    Filesize

    40.4MB

    MD5

    e9fc6b5fec814b068f611dbce204f631

    SHA1

    7c85393e6e0cd446ee981fcb322be8c7cb86231b

    SHA256

    546379208b734444eb991bee7ced30d4dc0881f5e37c5674baabf6c1f1f1d95a

    SHA512

    64895d20b5f2447c26a4c3557e2e872eb9108ffaeb1ce34d503d0e4c6e2fbbcac70a755b1f7ee65ec4de951148eb5f9d2346d69c3e7340e35f4984afef90419c

  • C:\Windows\CTFMON.EXE

    Filesize

    255KB

    MD5

    72873f4751bb634959daf19071eac873

    SHA1

    997b4965ce18c1173b5e7bd9064b8f479da23cd4

    SHA256

    fbe6aa7200069f404a577c71ec485739fc8bd3c464b5b08efb8634ccb8f802f4

    SHA512

    d3a45e05a042007413a5d928b54b7d44dd597d3a6a00bfe1255c61fec371cd26376e0ab036708d9ce38f4cc2f416c7f85353249047563e9173e8ded545417d68

  • C:\Windows\SysWOW64\drivers\npf.sys

    Filesize

    29KB

    MD5

    5c14de7d04d00aac3f03b569f2ea4664

    SHA1

    a26ae78a204791548be000824a1ad05524bdd2e8

    SHA256

    fac5bcebde87a261b4fb5a110765e53c96f0ef27b24ca94762f2c2ddb4da4204

    SHA512

    4bcbc4f0ab7b52f4303206fafd9d0bafea02bb25d8395a80eb6390b30ccc750379fb7fe9e0bf5a4a025cedb9e4702b7655963e360f2f983526dbc2e1efaa814f

  • C:\Windows\conf.dat

    Filesize

    39B

    MD5

    8bb0b4f69609d6a0c8dc89dca56b3f01

    SHA1

    ea3e1e01db3aeae1d0632bfbda969393fde69c25

    SHA256

    67aafceb6d0437ec07570cf33eeb6de7ebafc2090066c30d072dc7f9421fe783

    SHA512

    7425f57d55bf64067fc4a1a6daac9d9b3a321be9fef1c1e60ee650d08d24cff577f760eb23b205d0e03ba3dbc75fdd5ba05e13c66c5a9b07cfe9ec3dec6ad50d

  • C:\Windows\packet.dll

    Filesize

    32KB

    MD5

    f46c27d67c0ce202ebf4b771cb56ec00

    SHA1

    f999454d0aaabccfda7a50c8cb0818e50a7a1d91

    SHA256

    a68c877cd9c7562c66c722b4d0cd9fa366c65465d4c47ab63bf28bd5f1a69bcc

    SHA512

    2b7c6f7e865f88625a05c85226a95319656648029ef1c1b92b3a6c2dea7a4f7cf7d157c09af32c8689c76c6247852cd5af72d4f0dbb4dbcc3fe3c24681d53dbf

  • C:\Windows\pthreadvc.dll

    Filesize

    24KB

    MD5

    ea20ca545a351384486cef574b7a5571

    SHA1

    a1f01df09df62e933e4ff289361641b06ff31548

    SHA256

    2bd8d9dd8739e17828f8a87b73d592d4fd17988bbb0ea4a4d4cbda57129e8e48

    SHA512

    64b3dee275fb1830254fa2a95778b26864708c0b5e348cf5919ded013cda3872fe26304c846fa7968b24f60e2b6105c4813ff9e695bd6bb52897318cdecd382b

  • C:\Windows\svc.dat

    Filesize

    2KB

    MD5

    c201c6a2b4a1be50af9a6389c7af81ff

    SHA1

    2044ff7087b2f00a1bb31b23b78f8d04b258031c

    SHA256

    66f484a02af1154b245f3c20584050621fecf4f779d4e0e999e6187b61c7fa55

    SHA512

    da2167f93b789cd1ad8ce4ab7e82e3daddb41cd0e840d7b7f4ecf3d5ee955699f4213b14dfc4d15c66a262f8c06ab70dd44b6f6e8a958338baa46a19ff80bae6

  • C:\Windows\sysmgr.exe

    Filesize

    36KB

    MD5

    2373dfbdba70b54164d4fe163f7f59f1

    SHA1

    fbc51778f9e4868ddce4763d0bef4cb48090e3f6

    SHA256

    e506e529d2d1d80ba433d4dec9fcbf07506112c8d0a130bed322f03346640456

    SHA512

    32e48c596def05ddd1c987ae54cb069f750e0e4a993aa9f5c1d69e11c49ca90f6d324dfb4fa7c29c7d642eb2d939b2efe9332e0f4f4cbc5a0b2893adbf8598ec

  • C:\Windows\tasksche.exe

    Filesize

    2.0MB

    MD5

    beb8a27fc024962e045c32aa58d07d0e

    SHA1

    796d3613673f323135865c42272abef347add163

    SHA256

    ea2ad4d3bb98673b88e18eea1bf06c371c206b64246a9193b2a64ba4fe4f4900

    SHA512

    e84c03f6f4399b28e0d258b743831f36c621325d9b199cbbdd6982ed51280facfc5a953a2393788bbc54efb653f95c9f75ea29c93c147c9227aff3395f788179

  • C:\Windows\wpcap.dll

    Filesize

    117KB

    MD5

    6d79c447d16b96e7a72b12e450b6fa8e

    SHA1

    d2afa5eb9c9ba598f82a6025c1a07d31cb8a30bb

    SHA256

    afe533c6990520d49a4963bb9ce6d563b02d7b299ff4a9c9e4bca31ca6920deb

    SHA512

    6b96c6e79608256807f37a4b74b264074274642b4e4e09ef870d13246b7706582535c1e4f33f2a61281ab4c0ef59fc03c60a54faa6627aee92df52f356b8d966

  • memory/704-31-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/704-0-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/704-55-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-79-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-94-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-105-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-49-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-100-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-99-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-89-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-63-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-68-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-73-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/1876-84-0x0000000000400000-0x000000000094E000-memory.dmp

    Filesize

    5.3MB

  • memory/3460-30-0x0000000002190000-0x00000000021A0000-memory.dmp

    Filesize

    64KB

  • memory/3460-34-0x0000000002150000-0x000000000218E000-memory.dmp

    Filesize

    248KB

  • memory/3460-32-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/3460-15-0x0000000000400000-0x000000000048F000-memory.dmp

    Filesize

    572KB

  • memory/3460-22-0x0000000010000000-0x0000000010012000-memory.dmp

    Filesize

    72KB

  • memory/3460-26-0x0000000002150000-0x000000000218E000-memory.dmp

    Filesize

    248KB