Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 04:22

General

  • Target

    2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe

  • Size

    3.6MB

  • MD5

    85080b789b12e0d26ba401e31c5eddb4

  • SHA1

    e684fa8cdec104255080217c9fbf60f8cace0112

  • SHA256

    c03dc601c7e9a36ce275d52a62d9e6c6c00fc9dff656d9c6110e37cb73ebd648

  • SHA512

    3689b74dd044f65e8c7a03c3807fda2bd8fb677444db01b7d611a0d7b1216eb6583b7b8d7d2df1991c78c96f5ec9e6c8c40ec7ec7470021ac52ec9ae5cc636fd

  • SSDEEP

    49152:XnjQqMSPbcBVQej/hINRx+TSqTdX1HkQo6SAARd:X8qPoBhzhaRxcSUDk36SAEd

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3378) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:1492
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2588
  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe -m security
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    cff065cd4891c1ca717ea2a3c32d8f64

    SHA1

    500460fe4b02b0265d3a397a266a2170f553c254

    SHA256

    da1365f0c824f03a7034f96cbc7d40b18b823e2a298b415fdce4e8822af78613

    SHA512

    4c1a8562537b185436c61c4d385a0cc44a02ae818afa26f19c8b7a2f2ef20e777b9ccfb3a8acc3894296ea189d60ada64b30e8a922df4da4c95485074a446479