Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 04:24

General

  • Target

    2024-10-12_0077238064f7f71dd35e164f9dde8828_wannacry.exe

  • Size

    2.2MB

  • MD5

    0077238064f7f71dd35e164f9dde8828

  • SHA1

    4ac6074d2b57231a546481d3b209f9b173e0d2bd

  • SHA256

    4b721f99c5b9ee83b3e7b1927056985c7aae2f6e3fac0f0f3dc08cbd24ccb270

  • SHA512

    1242df145c5dc5f0cc768757c42a681e4114c2ee921e13dc7e771f6190b3396571f4f3663d4047a3e0fd41966bfe60c1d9d1c1607548f6f587f42e20e36114f9

  • SSDEEP

    24576:QbLguriIfEcQdIvrYbcMNgef0QeQjG/D8kIq9vn:QnpEjbcBVQej/5vn

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3292) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_0077238064f7f71dd35e164f9dde8828_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_0077238064f7f71dd35e164f9dde8828_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1416
  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_0077238064f7f71dd35e164f9dde8828_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-12_0077238064f7f71dd35e164f9dde8828_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\tasksche.exe

    Filesize

    2.0MB

    MD5

    c6380d7dbc203786e1d790563fdcdab1

    SHA1

    3ad71555d309cb8075ebdffdbc323279110572d9

    SHA256

    a2bc4ceb451f9f81fed063b395a6a0a9e7d4cc06e311df15d082bd0a7081d8c4

    SHA512

    e2eb48c4a6781ccf00c2d75d36c0a762a814dfda030481ee4f0ada456895442f6ce75f5e9e8ddc487dd41d6f469347ba007398a48901e6ce3e2df0725548ba38