wannacry | 6434fb6839c0fac8309f6438bdb14a038a2c3b0db49f4f5b6437123c0db4c738

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe
Size

5.0MB
MD5

844a1d67f420f48909d2ce936919dc9f
SHA1

7ff68b0b1ec7dd46534c7e3d22a723ce6d004ad4
SHA256

6434fb6839c0fac8309f6438bdb14a038a2c3b0db49f4f5b6437123c0db4c738
SHA512

044f93cf912a2085977bb37aa971fd300f5e1586f28a6379eb93d5d64d37347e15a3c1ede2e8c3187e4071efb0e9773c15807d6d1911eb24aedf791c4f07ff46
SSDEEP

98304:k8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:k8qPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2800	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2792
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2800

C:\Users\Admin\AppData\Local\Temp\2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-02_844a1d67f420f48909d2ce936919dc9f_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/2704-1-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2704-7-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2792-0-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download
memory/2792-6-0x0000000000400000-0x0000000000A6C000-memory.dmp

Filesize
6.4MB

Download