Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 12:42

General

  • Target

    2024-10-20_f67de491b20bca55917e906d1659f8ba_wannacry.exe

  • Size

    5.0MB

  • MD5

    f67de491b20bca55917e906d1659f8ba

  • SHA1

    9547f160e40f8c351315b4d6d3d4d9bc60dda66c

  • SHA256

    c201d12cae2da9bc01826b23c0c3dba50eca2acad602d6b75145962c28697c1f

  • SHA512

    648263301559baa1d85ae78429739d038c07c955e2e60364302815f6868bef6af0158889a19c051a2ae8bdb02b3189b39cb06b363a4fdd899686f6ef6e682235

  • SSDEEP

    12288:e1bLgmluCtgQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEn:QbLgurgQhfdmMSirYbcMNgef0QeQjG

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3224) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-20_f67de491b20bca55917e906d1659f8ba_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-20_f67de491b20bca55917e906d1659f8ba_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:4736
  • C:\Users\Admin\AppData\Local\Temp\2024-10-20_f67de491b20bca55917e906d1659f8ba_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-20_f67de491b20bca55917e906d1659f8ba_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads