wannacry | 7fa62f163639b1b357fd4bd9e33d1c32e31f1b223d658967bd2280e5918f98bf

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_59b845147b9808d77d31d72d7552d6dd_wannacry.exe
Size

5.0MB
MD5

59b845147b9808d77d31d72d7552d6dd
SHA1

d2889eb4b58327491e9e4a4e75cfa21b2e14a217
SHA256

7fa62f163639b1b357fd4bd9e33d1c32e31f1b223d658967bd2280e5918f98bf
SHA512

0f12ba9f8862c6622f13c52517d7a25f96fdf74dd79e9d7b80e6ddea1dfd5683db5941603566eec07c8c036565b3c60ebc2aa2e3f5ccbea723bd71d01585461f
SSDEEP

98304:Z8qToBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:Z8qTe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
552	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-12-12_59b845147b9808d77d31d72d7552d6dd_wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_59b845147b9808d77d31d72d7552d6dd_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-12_59b845147b9808d77d31d72d7552d6dd_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-12-12_59b845147b9808d77d31d72d7552d6dd_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_59b845147b9808d77d31d72d7552d6dd_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2316
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:552

C:\Users\Admin\AppData\Local\Temp\2024-12-12_59b845147b9808d77d31d72d7552d6dd_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-12_59b845147b9808d77d31d72d7552d6dd_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7a2048ca6361406092f6a1854c9df939

SHA1
be92a5e994985298422fe3b5d2772f0ca0a6d1da

SHA256
84c6b7684c623437efe7d7c82d23e50692f5fcdd8648fc5305574b9e2c0b28cc

SHA512
6819b5cef0f4e7215c148bfac46449840a65b9d6451b64812baa1ea957b25e267f5e565604bf3aac188913cb985bae8812bce2d570c50072f6d650e50a774c33

Download Submit