Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 04:59
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe
-
Size
3.6MB
-
MD5
7ef672e3e1d9015a95831848fe26f068
-
SHA1
488aa9ed4472f657f0f49afadb668f65b294d3eb
-
SHA256
68baedde98de0b2c5988b4afed250d8e946846e67093b3ecb42e2cfc722578e7
-
SHA512
d78d71b8c3f0013aa872c567019e5b95f2ac3b7ed00ab4f9bc4d3d41b7633cb83531e33fde80f90427fec9af019e32b0b728daf652268eb06007fb118421e26e
-
SSDEEP
98304:XDqPoBhz1aRxcSUDk36SAEdhvxWa9U2HI:XDqPe1Cxcxk3ZAEUahHI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 2916 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\WpadDecision = "0" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-7b-ed-da-f9-02\WpadDecision = "0" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0129000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5} 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\WpadDecisionTime = 30378f89631cdb01 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-7b-ed-da-f9-02 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-7b-ed-da-f9-02\WpadDecisionReason = "1" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\WpadDecisionReason = "1" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\WpadNetworkName = "Network 3" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-7b-ed-da-f9-02\WpadDecisionTime = 30378f89631cdb01 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6FE971C-EE18-4DF0-930E-6E65E4CF35D5}\22-7b-ed-da-f9-02 2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2308 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-10-12_7ef672e3e1d9015a95831848fe26f068_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5153f71ef0dd5b40970706d650011a395
SHA11d7679e4ef4ac9176f79b792ffeca6e21b94695a
SHA256cf9556cd6050cf9b45bb6041ecad928daf41e28abf8d6c9b7aca7ef0e98c9ac9
SHA5121fe0e7d7a53556dfcb07ee8bab0256963f37b89592f8993647f23b94ded33882a809b5300ae36b1788bf56211e2c0f9cdb93912efb2876f06cc1903e200cb482