Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 05:10
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe
-
Size
3.6MB
-
MD5
c80801ab6a745e288e72ed1209d4760d
-
SHA1
4d3ca26f4061504ab0c9e5b414fd1f89cd3af036
-
SHA256
9c9b32f6b61b37cf749054f0f253570ab782cc8c70812e3c5837650da873c6b7
-
SHA512
9ad46cbb6a31c6fe8d4d0033a7880f2e4e6c3e46824c8bba569d04f58ced2ba4435ab35c67a0de0f99bdb4fbc47c1640c2c2c04d41d332ceb8a66afd0a98e244
-
SSDEEP
12288:GwbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D:VbLgdeQhfdmMSirYbcMNgef0
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3365) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 680 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2068 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:680
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-10-12_c80801ab6a745e288e72ed1209d4760d_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1996
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5031988f6dbd459cd6af6d4b5ccda59fe
SHA170708a2a55840c8a0949a63a27f84404f67ab375
SHA25662445585418bde700f9d946ce71bc86c29f0aff2a43aa90eb79cc80514743acd
SHA512068dea0456a34fd719174d234f02b7860ce059f3c7c4a5e48122b0a85470edb2d3f21f1927eef1f5564435be58246bbec35eac6c841a195f509267364176a666