Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 04:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe
-
Size
3.6MB
-
MD5
0d30660a70eeb7ab2ed50a35fa7815e1
-
SHA1
c829f4b9deb22dd056457d966cfc91851c7e6203
-
SHA256
30e62399385ba866ec73329003f3d449f155b506de9f6841f13365251587965e
-
SHA512
59b290dcd7755d8d9df4da10a57b2a8c3d8ee4a6824f8deebd2655edaf8619778a7b5e8260ea0bb311f3af367ecec325c6d1e2304acb7623e0ba4cfaba4607a9
-
SSDEEP
49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvt28NLr:yDqPoBhz1aRxcSUDk36SAEdhvtz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3338) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 2796 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1703934C-BB3D-4660-A426-7C1A9ECA713B}\WpadDecisionTime = 60c4e072611cdb01 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1703934C-BB3D-4660-A426-7C1A9ECA713B}\WpadDecision = "0" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1703934C-BB3D-4660-A426-7C1A9ECA713B}\WpadNetworkName = "Network 3" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDecisionReason = "1" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDecision = "0" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1703934C-BB3D-4660-A426-7C1A9ECA713B} 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1703934C-BB3D-4660-A426-7C1A9ECA713B}\3e-37-ac-c9-90-6b 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-37-ac-c9-90-6b\WpadDecisionTime = 60c4e072611cdb01 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1703934C-BB3D-4660-A426-7C1A9ECA713B}\WpadDecisionReason = "1" 2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2672 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD523ae8c70eb07d07a5a15e028b6192da7
SHA12154f3f969ded57385b803049ac3c444eff44538
SHA25662d367cdbd055d781fbbd50a2923898a2f3f94b76efafbe331ded0024706def2
SHA512738389fc4da5ff73d09631da196db1506410f839955163bf8e897ea68d5b6e5be432e2f445a656a307ea75b951885ac750bb36a40206c09d6c984e8dbc0ae57b