Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    28-10-2024 11:08

General

  • Target

    2024-10-28_fd5e61012cdd7c49e9e7ab84faf2fec6_wannacry.exe

  • Size

    3.6MB

  • MD5

    fd5e61012cdd7c49e9e7ab84faf2fec6

  • SHA1

    54f55fafa0a481f3df90b14580116b51d7f9cf0c

  • SHA256

    36c3e8d1f1a8a583c456853ea949d784f4b0654a2248f4a9764daa6d155d20cf

  • SHA512

    452c392196857bc07a1031bba5a38c5582f93803060680ea99a73969132fa56783f32b23387990184bc355a3c3d813e39a753661d6d19eba4b16906ad45d6867

  • SSDEEP

    98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P5hAVp2HI:Z8qPe1Cxcxk3ZAEUadzc4HI

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Wannacry family
  • Contacts a large (3291) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-28_fd5e61012cdd7c49e9e7ab84faf2fec6_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-28_fd5e61012cdd7c49e9e7ab84faf2fec6_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2332
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2736
  • C:\Users\Admin\AppData\Local\Temp\2024-10-28_fd5e61012cdd7c49e9e7ab84faf2fec6_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-10-28_fd5e61012cdd7c49e9e7ab84faf2fec6_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:3020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    91d820de88dda105b82e9e139dc2aec3

    SHA1

    fe59e1ccd5d8f485714f12c9398f0cbd292db9d8

    SHA256

    99ee9bbacd6957ad3b34ab7e08dec6e3f64a99465fc0efc7a0824b5d00a4fc63

    SHA512

    113bb0f5a5d354520c6166ca80017d78fc6c6d9c883fa1f994652fe1332c92205264cd88af1b713e622f05e981394b06ef2148152d88940e1ab0cca346b138ed