Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe
-
Size
3.6MB
-
MD5
85080b789b12e0d26ba401e31c5eddb4
-
SHA1
e684fa8cdec104255080217c9fbf60f8cace0112
-
SHA256
c03dc601c7e9a36ce275d52a62d9e6c6c00fc9dff656d9c6110e37cb73ebd648
-
SHA512
3689b74dd044f65e8c7a03c3807fda2bd8fb677444db01b7d611a0d7b1216eb6583b7b8d7d2df1991c78c96f5ec9e6c8c40ec7ec7470021ac52ec9ae5cc636fd
-
SSDEEP
49152:XnjQqMSPbcBVQej/hINRx+TSqTdX1HkQo6SAARd:X8qPoBhzhaRxcSUDk36SAEd
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3378) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 2588 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1492 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2588
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-10-12_85080b789b12e0d26ba401e31c5eddb4_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
PID:4736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5cff065cd4891c1ca717ea2a3c32d8f64
SHA1500460fe4b02b0265d3a397a266a2170f553c254
SHA256da1365f0c824f03a7034f96cbc7d40b18b823e2a298b415fdce4e8822af78613
SHA5124c1a8562537b185436c61c4d385a0cc44a02ae818afa26f19c8b7a2f2ef20e777b9ccfb3a8acc3894296ea189d60ada64b30e8a922df4da4c95485074a446479