Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 20:24
Behavioral task
behavioral1
Sample
2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe
-
Size
854KB
-
MD5
9e7f8bbc8b012b6a9125d72d8872c1b9
-
SHA1
71ffa7a408554eed422aa044613f100eafc78c57
-
SHA256
c277a8fe3f35b51cb210db9bd9d4215fb05e694cd15b46d2a0aa1f094738c163
-
SHA512
9fff0dbbe1492adf2b1b6c3d707861ed629f1e24490abc6893559903fb019ac620142bd60de33a39f41a9d735064e1fae421defc0dc6bc7973ee28987709ba80
-
SSDEEP
12288:b0zVvgDNMoWjTmFzAzBocaKjyWtiR1pptHxQ0z2GjShqL:o5vgHWjTwAlocaKjyyItHDzH
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 2 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Virus1.exe family_chaos behavioral1/memory/2664-16-0x00000000011A0000-0x00000000011B0000-memory.dmp family_chaos -
Chaos family
-
Executes dropped EXE 3 IoCs
Processes:
Virus1.exeBootstrapper.exepid process 2664 Virus1.exe 2740 Bootstrapper.exe 1196 -
Loads dropped DLL 7 IoCs
Processes:
2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exeWerFault.exepid process 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe 1492 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2644 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Virus1.exepid process 2664 Virus1.exe 2664 Virus1.exe 2664 Virus1.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
Virus1.exeWMIC.exeBootstrapper.exedescription pid process Token: SeDebugPrivilege 2664 Virus1.exe Token: SeIncreaseQuotaPrivilege 704 WMIC.exe Token: SeSecurityPrivilege 704 WMIC.exe Token: SeTakeOwnershipPrivilege 704 WMIC.exe Token: SeLoadDriverPrivilege 704 WMIC.exe Token: SeSystemProfilePrivilege 704 WMIC.exe Token: SeSystemtimePrivilege 704 WMIC.exe Token: SeProfSingleProcessPrivilege 704 WMIC.exe Token: SeIncBasePriorityPrivilege 704 WMIC.exe Token: SeCreatePagefilePrivilege 704 WMIC.exe Token: SeBackupPrivilege 704 WMIC.exe Token: SeRestorePrivilege 704 WMIC.exe Token: SeShutdownPrivilege 704 WMIC.exe Token: SeDebugPrivilege 704 WMIC.exe Token: SeSystemEnvironmentPrivilege 704 WMIC.exe Token: SeRemoteShutdownPrivilege 704 WMIC.exe Token: SeUndockPrivilege 704 WMIC.exe Token: SeManageVolumePrivilege 704 WMIC.exe Token: 33 704 WMIC.exe Token: 34 704 WMIC.exe Token: 35 704 WMIC.exe Token: SeIncreaseQuotaPrivilege 704 WMIC.exe Token: SeSecurityPrivilege 704 WMIC.exe Token: SeTakeOwnershipPrivilege 704 WMIC.exe Token: SeLoadDriverPrivilege 704 WMIC.exe Token: SeSystemProfilePrivilege 704 WMIC.exe Token: SeSystemtimePrivilege 704 WMIC.exe Token: SeProfSingleProcessPrivilege 704 WMIC.exe Token: SeIncBasePriorityPrivilege 704 WMIC.exe Token: SeCreatePagefilePrivilege 704 WMIC.exe Token: SeBackupPrivilege 704 WMIC.exe Token: SeRestorePrivilege 704 WMIC.exe Token: SeShutdownPrivilege 704 WMIC.exe Token: SeDebugPrivilege 704 WMIC.exe Token: SeSystemEnvironmentPrivilege 704 WMIC.exe Token: SeRemoteShutdownPrivilege 704 WMIC.exe Token: SeUndockPrivilege 704 WMIC.exe Token: SeManageVolumePrivilege 704 WMIC.exe Token: 33 704 WMIC.exe Token: 34 704 WMIC.exe Token: 35 704 WMIC.exe Token: SeDebugPrivilege 2740 Bootstrapper.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exeBootstrapper.exeVirus1.execmd.execmd.exedescription pid process target process PID 2980 wrote to memory of 2664 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe Virus1.exe PID 2980 wrote to memory of 2664 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe Virus1.exe PID 2980 wrote to memory of 2664 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe Virus1.exe PID 2980 wrote to memory of 2664 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe Virus1.exe PID 2980 wrote to memory of 2740 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe Bootstrapper.exe PID 2980 wrote to memory of 2740 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe Bootstrapper.exe PID 2980 wrote to memory of 2740 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe Bootstrapper.exe PID 2980 wrote to memory of 2740 2980 2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe Bootstrapper.exe PID 2740 wrote to memory of 2608 2740 Bootstrapper.exe cmd.exe PID 2740 wrote to memory of 2608 2740 Bootstrapper.exe cmd.exe PID 2740 wrote to memory of 2608 2740 Bootstrapper.exe cmd.exe PID 2664 wrote to memory of 2532 2664 Virus1.exe WerFault.exe PID 2664 wrote to memory of 2532 2664 Virus1.exe WerFault.exe PID 2664 wrote to memory of 2532 2664 Virus1.exe WerFault.exe PID 2608 wrote to memory of 2644 2608 cmd.exe ipconfig.exe PID 2608 wrote to memory of 2644 2608 cmd.exe ipconfig.exe PID 2608 wrote to memory of 2644 2608 cmd.exe ipconfig.exe PID 2740 wrote to memory of 2228 2740 Bootstrapper.exe cmd.exe PID 2740 wrote to memory of 2228 2740 Bootstrapper.exe cmd.exe PID 2740 wrote to memory of 2228 2740 Bootstrapper.exe cmd.exe PID 2228 wrote to memory of 704 2228 cmd.exe WMIC.exe PID 2228 wrote to memory of 704 2228 cmd.exe WMIC.exe PID 2228 wrote to memory of 704 2228 cmd.exe WMIC.exe PID 2740 wrote to memory of 1492 2740 Bootstrapper.exe WerFault.exe PID 2740 wrote to memory of 1492 2740 Bootstrapper.exe WerFault.exe PID 2740 wrote to memory of 1492 2740 Bootstrapper.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-27_9e7f8bbc8b012b6a9125d72d8872c1b9_wannacry.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Roaming\Virus1.exe"C:\Users\Admin\AppData\Roaming\Virus1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2664 -s 5683⤵PID:2532
-
C:\Users\Admin\AppData\Roaming\Bootstrapper.exe"C:\Users\Admin\AppData\Roaming\Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\system32\cmd.exe"cmd" /c ipconfig /all3⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
PID:2644 -
C:\Windows\system32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")4⤵
- Suspicious use of AdjustPrivilegeToken
PID:704 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2740 -s 11243⤵
- Loads dropped DLL
PID:1492
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
800KB
MD52a4dcf20b82896be94eb538260c5fb93
SHA121f232c2fd8132f8677e53258562ad98b455e679
SHA256ebbcb489171abfcfce56554dbaeacd22a15838391cbc7c756db02995129def5a
SHA5124f1164b2312fb94b7030d6eb6aa9f3502912ffa33505f156443570fc964bfd3bb21ded3cf84092054e07346d2dce83a0907ba33f4ba39ad3fe7a78e836efe288
-
Filesize
42KB
MD59fd5152a920afc01a494f84d97af7b8c
SHA1058646770a0ca82417f240a068464e712c11a1b9
SHA2566f0f20da34396166df352bf301b3c59ef42b0bc67f52af3d541b0161c47ede05
SHA5123bc11f2d30877590f108866186a0dbc4d36a773b036382df7b5129637e81c70f18469526ef2129a02e36179075a58f93e7e0040fd35c8c0d88511b77998d53b6