Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-11-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe
-
Size
3.6MB
-
MD5
3822d77b7dea2b66944aff3da4b69a42
-
SHA1
d5911ee5daeca4aa650ce772463078572071432c
-
SHA256
3d88eca19559990d4abb8475af6e36aec87a83d50d735ed27bfe93fbfc80bb3a
-
SHA512
3686c3fa5d58cdec92376b98dd2739eda766cbe0c767fe426d43cfdd78839b9f4dbd9371434a173f04b1c6c290f7e74ed9861fc784fe5f0caa45a33079c525f4
-
SSDEEP
6144:iE9l9yNqIYVTH5DgSg8ajldktM0XXrs2QhE:iwbLgPluxQhE
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3314) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 2364 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4648 2364 WerFault.exe 85 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2364 2868 2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe 85 PID 2868 wrote to memory of 2364 2868 2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe 85 PID 2868 wrote to memory of 2364 2868 2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2203⤵
- Program crash
PID:4648
-
-
-
C:\Users\Admin\AppData\Local\Temp\2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-11-20_3822d77b7dea2b66944aff3da4b69a42_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
PID:516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2364 -ip 23641⤵PID:852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5f6f44fa3bd492b50e314bbee5396ef9c
SHA1a04556b6394b11ae159843ee9d2adc399a86a93d
SHA256c6562fddf219ab5c6584c053e5723fb25ab58e8629b04fe39e7e2652a897676a
SHA512c93de901a0d19879fdf9dc9aa7d827d7f286ac996247b5f0e269f55f6d0b6b777df85e076fe616191e018b616cf841fff7ea72931359a857426fa37c73bf84c3