Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 02:56

General

  • Target

    aea2cf3c95fb2fb2161b7c5555e118120b9e0b3b0cc216495fe66fd70f33fa59.exe

  • Size

    3.6MB

  • MD5

    b31e44c5a7a208a8cfdf21756392238f

  • SHA1

    858be22cab4910de26beb2aaec2f9ab99e0a8469

  • SHA256

    aea2cf3c95fb2fb2161b7c5555e118120b9e0b3b0cc216495fe66fd70f33fa59

  • SHA512

    75f879927c6cbbcf24ef9950136876e62075de84e4f3ed24cc0345e75b2ba99ac74a603858a6f606c4d727bb5cc2edcee13632190260139ff2fe94d32151987b

  • SSDEEP

    49152:VnjQqMSPbcBVQej/1INgwuqzgX8knK4JKARyPHRieTG:Z8qPoBhz1a

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3110) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aea2cf3c95fb2fb2161b7c5555e118120b9e0b3b0cc216495fe66fd70f33fa59.exe
    "C:\Users\Admin\AppData\Local\Temp\aea2cf3c95fb2fb2161b7c5555e118120b9e0b3b0cc216495fe66fd70f33fa59.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:780
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2212
  • C:\Users\Admin\AppData\Local\Temp\aea2cf3c95fb2fb2161b7c5555e118120b9e0b3b0cc216495fe66fd70f33fa59.exe
    C:\Users\Admin\AppData\Local\Temp\aea2cf3c95fb2fb2161b7c5555e118120b9e0b3b0cc216495fe66fd70f33fa59.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2328

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    1e74f055fe22069f9c6501f6687f0901

    SHA1

    f8a30f46b1be4f6080d91194aa728bcab97c5653

    SHA256

    7bafa137c14811698535cadcb9f45237d2769a590dcc14d155faa00e5d0aa371

    SHA512

    050add0268daf614a615a354d09a982a87f0527078427162e68a779e943af9e7f39ad6b984afd06bf3d6e2c256394831a2f573d8c589947fac080216d89edcc1