Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 04:44

General

  • Target

    2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe

  • Size

    3.6MB

  • MD5

    0d30660a70eeb7ab2ed50a35fa7815e1

  • SHA1

    c829f4b9deb22dd056457d966cfc91851c7e6203

  • SHA256

    30e62399385ba866ec73329003f3d449f155b506de9f6841f13365251587965e

  • SHA512

    59b290dcd7755d8d9df4da10a57b2a8c3d8ee4a6824f8deebd2655edaf8619778a7b5e8260ea0bb311f3af367ecec325c6d1e2304acb7623e0ba4cfaba4607a9

  • SSDEEP

    49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvt28NLr:yDqPoBhz1aRxcSUDk36SAEdhvtz

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3338) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2672
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2796
  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-12_0d30660a70eeb7ab2ed50a35fa7815e1_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    23ae8c70eb07d07a5a15e028b6192da7

    SHA1

    2154f3f969ded57385b803049ac3c444eff44538

    SHA256

    62d367cdbd055d781fbbd50a2923898a2f3f94b76efafbe331ded0024706def2

    SHA512

    738389fc4da5ff73d09631da196db1506410f839955163bf8e897ea68d5b6e5be432e2f445a656a307ea75b951885ac750bb36a40206c09d6c984e8dbc0ae57b