Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12-10-2024 05:10

General

  • Target

    2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe

  • Size

    3.6MB

  • MD5

    c80801ab6a745e288e72ed1209d4760d

  • SHA1

    4d3ca26f4061504ab0c9e5b414fd1f89cd3af036

  • SHA256

    9c9b32f6b61b37cf749054f0f253570ab782cc8c70812e3c5837650da873c6b7

  • SHA512

    9ad46cbb6a31c6fe8d4d0033a7880f2e4e6c3e46824c8bba569d04f58ced2ba4435ab35c67a0de0f99bdb4fbc47c1640c2c2c04d41d332ceb8a66afd0a98e244

  • SSDEEP

    12288:GwbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D:VbLgdeQhfdmMSirYbcMNgef0

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3365) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2068
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:680
  • C:\Users\Admin\AppData\Local\Temp\2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    031988f6dbd459cd6af6d4b5ccda59fe

    SHA1

    70708a2a55840c8a0949a63a27f84404f67ab375

    SHA256

    62445585418bde700f9d946ce71bc86c29f0aff2a43aa90eb79cc80514743acd

    SHA512

    068dea0456a34fd719174d234f02b7860ce059f3c7c4a5e48122b0a85470edb2d3f21f1927eef1f5564435be58246bbec35eac6c841a195f509267364176a666