Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-10-2024 18:53
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe
-
Size
3.6MB
-
MD5
16c9fc4bb5aadc37c8cdcde301cf44d0
-
SHA1
b33db650e6901dcbf1d048bdeeccbfbbb59e2463
-
SHA256
405ca1e135c0db4d4394f1e343c4b1f60d77f5573ea03f199fe3fd7ea61ecde2
-
SHA512
d815d67dbaaa9ddecfa8842374c2c311c5869f3448177e674874dcdf62e08b4c956890cb581725d0020684c5318fedcfc3b7b67c15dc7bf7eae9d2d0d855fe1b
-
SSDEEP
98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P5BZx8:Z8qPe1Cxcxk3ZAEUadj78
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3259) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 352 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2484 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:352
-
-
C:\Users\Admin\AppData\Local\Temp\2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-10-19_16c9fc4bb5aadc37c8cdcde301cf44d0_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5008cc723d62d404994c49afbedbc1a43
SHA143c4571def1f4df4d6245e3fec91c9504b0553dd
SHA2561ce1f15e09db58cf191d99b634bde114134718e2fa0e95eb611496ba1d4a568e
SHA5125449d6c0a0769df0afe1184e7e3b6c415244f28590296bb231031f364e774adca3ed7e853d010d2613990fc784e38f4876cc0b3e03773f11db8dc894ce0f446a