Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 10:24

General

  • Target

    2024-11-22_11589df42b5a4d4644c998de8a257583_wannacry.exe

  • Size

    5.0MB

  • MD5

    11589df42b5a4d4644c998de8a257583

  • SHA1

    0b773d11135d11edf3983a72e0a6e92b24a98ba7

  • SHA256

    1099d916868cc70b98d841bdafb93676ea8415fed2108581d5ad601f0ed5bfaa

  • SHA512

    b78fbb624735069769e4776ac77531fdef5f43c6b0f2db7537a8c07410e4a2da3fa445808cedd9942b9bbad9ec5dbd9dfe6acd266d98fa5b164dcf0789abc113

  • SSDEEP

    24576:QbLguriIfEcQdIBrYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqT:QnpENbcBVQej/1INRx+TSqT

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Wannacry family
  • Contacts a large (3265) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-22_11589df42b5a4d4644c998de8a257583_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-22_11589df42b5a4d4644c998de8a257583_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5116
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:976
  • C:\Users\Admin\AppData\Local\Temp\2024-11-22_11589df42b5a4d4644c998de8a257583_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-11-22_11589df42b5a4d4644c998de8a257583_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    2.0MB

    MD5

    ca0bdd6a406903f62507e728244927d1

    SHA1

    7fdde06de5b6cd21c9acda654da723f6ffdb2fb7

    SHA256

    7262e02913e7361aaf6952ed1a63a29cd44193243c06488e3e15cad2564ec12e

    SHA512

    97048ae8a642924043d9e14bebd0896958dd942df61c459c07221b4efd9a3a7aa5cf45b97c3ea54aa64ab93b49093593d4cc41acf823eae2bb5e0fc8e3f5e31e