Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 04:59

General

  • Target

    2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe

  • Size

    3.6MB

  • MD5

    7ef672e3e1d9015a95831848fe26f068

  • SHA1

    488aa9ed4472f657f0f49afadb668f65b294d3eb

  • SHA256

    68baedde98de0b2c5988b4afed250d8e946846e67093b3ecb42e2cfc722578e7

  • SHA512

    d78d71b8c3f0013aa872c567019e5b95f2ac3b7ed00ab4f9bc4d3d41b7633cb83531e33fde80f90427fec9af019e32b0b728daf652268eb06007fb118421e26e

  • SSDEEP

    98304:XDqPoBhz1aRxcSUDk36SAEdhvxWa9U2HI:XDqPe1Cxcxk3ZAEUahHI

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3270) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2308
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2916
  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    153f71ef0dd5b40970706d650011a395

    SHA1

    1d7679e4ef4ac9176f79b792ffeca6e21b94695a

    SHA256

    cf9556cd6050cf9b45bb6041ecad928daf41e28abf8d6c9b7aca7ef0e98c9ac9

    SHA512

    1fe0e7d7a53556dfcb07ee8bab0256963f37b89592f8993647f23b94ded33882a809b5300ae36b1788bf56211e2c0f9cdb93912efb2876f06cc1903e200cb482