Analysis
-
max time kernel
131s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
12-12-2024 17:27
General
-
Target
2024-12-12_7bb44ce91d465a2a5295f9168e0b6970_wannacry.exe
-
Size
3.6MB
-
MD5
7bb44ce91d465a2a5295f9168e0b6970
-
SHA1
50678187f149f1e46a738a166c0026ac05bc4a0a
-
SHA256
a5ffdb6d6251b69c518c7e4fa71feeb9b2efadec74d1f4c578890536eec1124d
-
SHA512
71c071a8cf2398c4a1fc34fa9c447b893dfe59465f15d392e3724a58bf8bb835aede6e72431e024bb610daa70a819aa65b8107f4301757ed9b75a89d1e972557
-
SSDEEP
49152:2nAQqMSPbcBVJNRx+TSqTdX1HkQo6SAARdhnvxJM0H9:yDqPoBJRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (2857) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Detected potential entity reuse from brand GOOGLE.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 9 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 24 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-12_7bb44ce91d465a2a5295f9168e0b6970_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-12_7bb44ce91d465a2a5295f9168e0b6970_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\2024-12-12_7bb44ce91d465a2a5295f9168e0b6970_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-12-12_7bb44ce91d465a2a5295f9168e0b6970_wannacry.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.0.1951171994\1891859457" -parentBuildID 20221007134813 -prefsHandle 1244 -prefMapHandle 1096 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9260f774-f0ef-4bc6-b2b1-f74d4058ec40} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 1320 f4ef958 gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.1.737134581\1361432348" -parentBuildID 20221007134813 -prefsHandle 1540 -prefMapHandle 1536 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccf99eae-e295-4502-bcc5-1c37330c8223} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 1552 f030e58 socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.2.1875457453\1382187140" -childID 1 -isForBrowser -prefsHandle 2012 -prefMapHandle 2008 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d1c9f14-c9a4-4c9f-bb28-16917f0be02d} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 2024 19434458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.3.497710515\1222164343" -childID 2 -isForBrowser -prefsHandle 2572 -prefMapHandle 2564 -prefsLen 26151 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52eb37d6-c173-4eed-b200-b2298a7e0ce3} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 2584 e62b58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.4.567327416\1690072991" -childID 3 -isForBrowser -prefsHandle 2888 -prefMapHandle 2884 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {843c8e18-f154-4be5-b830-304e054cac93} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 2900 1d536258 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.5.894607375\1969372261" -childID 4 -isForBrowser -prefsHandle 3952 -prefMapHandle 3772 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8a6afc1d-e01e-4dfa-91a6-b140c21619f9} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 3956 1ecba458 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.6.570171072\1398277096" -childID 5 -isForBrowser -prefsHandle 4068 -prefMapHandle 4072 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc790969-a490-4b43-b91d-edfbd9fbb4bb} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 4056 1ecbaa58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.7.1543830930\2018539846" -childID 6 -isForBrowser -prefsHandle 3980 -prefMapHandle 3772 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26c5d26e-2560-4177-8631-6a9988699bf6} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 4104 1ecbc558 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.8.266509006\1195955039" -childID 7 -isForBrowser -prefsHandle 4560 -prefMapHandle 4564 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0208cf13-ad2d-4363-b644-29da7a5383b1} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 4540 1e96a058 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.9.995946308\227239515" -childID 8 -isForBrowser -prefsHandle 4404 -prefMapHandle 3964 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e632f28-aca7-4b68-801a-490fab4b88e5} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 4500 20bb3a58 tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2460.10.378931748\939333034" -childID 9 -isForBrowser -prefsHandle 3988 -prefMapHandle 4052 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa988c8e-4c36-40fe-b0bb-b576200fa39d} 2460 "\\.\pipe\gecko-crash-server-pipe.2460" 4464 20b92558 tab3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5bd5d290acd0e7ed7d147e7d4cadb61eb
SHA199cfe0edc163a5a46e7942b8fb80f70a717c23fa
SHA2563fcd2973484d71d6ac7eb0fa57731ce406683bfa294e63d8beb4458f22a9b533
SHA512c99e54cf5490cad557d4c86ccd08c31c4d716c406ac51efad7d8a457ca18e61ea8dfd1d6da04cdf25d5f77e5a5ec06e3618107bff98c51f3b36ae41490b2c816
-
Filesize
61KB
MD57d871d772bb049e36076eb0d5762a89e
SHA1085d2a6f1d9e4ab2169ab3e888ba5dbab342142f
SHA2560d6645288feb874dc47980d5918a84df54c260c8be519eafefb1f68453d801e7
SHA5125dc1e1aeb58124a599de59fac2b0ff03ff6a2f7eddbe6013f91148a96867077ef74a1e026375a9b0d01c12769d08a20d5e7dc47664032a2d7a9e1fcdc7f3b18d
-
Filesize
224KB
MD55469e9ef96a71d487d6663e41e0108a6
SHA14212dab31e0f0ab373bc96bbff543b37106fa386
SHA256052cec5f239873a4b56e18f1eeb1124e064fd00cb5f807d63333d15794bf2bee
SHA51209a5f36110dd580489e37a430dd4bdf18a43352c6bb15c4433839012c0c4e068397024be1f96ee697c20b045a6b0b572b8eb9bc06e0770cf8e0c14f912e35ca8
-
Filesize
15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
2KB
MD5122bd7b01f86b37f1c3ef6561fae185d
SHA1581164657caec01d87977c09e419ca09a3288a29
SHA2565c999c6a3a650248b95f9c0d74997237abc5154eb06fd5bb09ac222c83030c62
SHA512ad01488c39879c220508f15861aee71be3eee9a634bdd9f73f45f90d9b2280f6b95c1278f14137be43163399ccd8c0dce50572972fc0b8bc111b4d604598877d
-
Filesize
745B
MD5a02d2aae7f6216a2b8e68d2e6269e695
SHA113f44c11acfaeb71aee2e5abb0565a42fca4fcd6
SHA256bd2bf21c7ce4dcadc06b2c8437e52095845adc7e37ed7badfa4147ee330d723a
SHA512d3f70e73d28de261b5c8e8e1a9b3c4a5ec89f89d5d21255b6d48140f4be33090b903dd927f54570a49d1599c6760c2d3cccfa42197ba12f1afa9cba120dbe6eb
-
Filesize
11KB
MD5718b408fa90a89f27256682a6c3339cc
SHA11e50606d8d3d3b061406d61ec7174352473d0af8
SHA256026dc14ee0e9660103c6f58c7ab2c905ee3366f375829f7f592cc509bfaa2651
SHA51251204069911251fd5dbdf609d358ff1e30a59519f4ed979d8105297fa2a2fee5982a48ba6d10e1de51efbdae8ed8cda90c55654d30041e8b8c5febfee3889f4d
-
Filesize
6KB
MD55084f1b58f5f14056749a7b241c3b095
SHA15097660ca24ebca3f880d54a56a165d533d2fa58
SHA256dea9ad469b34bb26c65c28a30694434b5aec42fc3a8b18baf671c6155da483dc
SHA512766ebcd0d292198ee4b6c10039d0f470b460e0b938100e50145b27c503da7b25c6a859ea745e41d7a755fcbbe6be4ffc187e3891bebdada3401be2317562f2b3
-
Filesize
6KB
MD5628b1afb8efb87fa1664590dcbc0fd6d
SHA18d60b0eb05399976826ae68314550878ce478356
SHA256ef263d61b36a7a78c2100da25aaf2e5bb94215d915250d653042ddffc624c9e6
SHA512894fccb411f65f54a098e89c15c88af57bd7b8c7b38abdc67066ac37fb0c20005d747c68f4388212d8b233bf6871d2df6c09c8c9818507c3e9a5155cc7bd9626
-
Filesize
6KB
MD50004224b7c82344c2a17ea653ec4ce46
SHA1782e24ba34e94cb438e3afc9ceb13e758e3f436a
SHA2566610b574322fc2479baca84166b924972e98593e2690c909e9453dc3c013b9e4
SHA512d2952c81f58a08e55ec6e493e0a20a765c85d9d6b7bc9a2c7438eaaee5b3afe388b094d14121d9760181710141b2b9a95a8eaf85bc39757eb44f2a1863bef715
-
Filesize
3KB
MD5318b9e198191a42fa99a1a5c986deba8
SHA10f9fae0007f307b2f611202e863abb8fb4e72a21
SHA256fe74c0b590bc81a4810f8a8260351fe1dbe7e0cd53d0260ec3e7d21e9be1f5c9
SHA512dc2648899e18ce83c1cb0b16bf2148388552f362cf305447aa90919e52db79ba1c08e3474f36d8ffb03b3b26e8baa5bf3d798edd0e74697825278980a21c3356
-
Filesize
4KB
MD5a45ec6a8cd8374bc97173dd56aa5345e
SHA18acd5553740bcdd47ade321068bd953feac9a39e
SHA2562f978aa3ce462164cfc47fc5ec182954ac7bef64e0d1108f397a6062f16899f0
SHA5120c3ae10aa783de5e419b61e23d6aab9dd36d25e6b40e4bcc150bab1a80865a0977d8fcd71c3772928d2c2cb643e642adb3f4532ed6220703c87b60b1d26c4d40
-
Filesize
4KB
MD576230ce9395a771958bdc39847088c86
SHA1584023e0f1572e6e211d63c1c7ff2a8430ef1b47
SHA256dc96c6a370e71f81f7419715e21b7a0c49cfa189c0e932cc4105612e97a018ad
SHA5129eab2b0816e4be07dbbc5fc7d250e15e7c91d1aeab8c3ce5c92ed8f35f8b7c09e7cf8050ce56f185ab1c65c84d87843805c71356642fcdf4c9f321229c7d75ce
-
Filesize
5KB
MD587b960fd2dac618498b52a90606e1439
SHA1aedaae758c0bc24dfe075cdeec600c91f6586258
SHA256b6d4d409d53f3cdc1e4be6591dfd0229636092a4b706af774024ecff0336eaa3
SHA51286055106b05e1be514087bb46037f5fba7b69ba6a958d904cdcfd00a424256987c13e739e790b2ada234955e6e400ad727ee489cc31a438c6572ecdbcbeb3da6
-
Filesize
8KB
MD51cafb66d53e7a435d5814647aa5b0edf
SHA133d745d386a6969ab5c7d3660ed9cc17ad685764
SHA2563172af00d1fd9caaa42ae61e2b1b1ab43ec188e134125bec7f4d4b639936e790
SHA512350cccd1a4cef9dc67be0578beecc42ab24d7a8d853baf8516233d1fc14331350b6f642298f1f399ed62dc5fe7cc2ae69761b7ab72932aa0c66e739d8e9928e7
-
Filesize
184KB
MD5dc2cbc66b066c1546bb95ef619465509
SHA10ee30853b798d6c73e5d84c6e7d18678c20480f2
SHA256932b041855e516db863cd676f08090065c69f442eafbe98aa7fc3d47d0e80173
SHA512ca3bce8a2a513f2e0c0a454741b708da498b3dc92885ba4c63c60f59a98adf7395b408cd00b72da746b82ecd4b5366776b8873f51168ec6e7c5bb087d3a5321e
-
Filesize
3.4MB
MD55c2a5c8233d0013014a1eec1d2ce47cc
SHA14f6abf67c5b9ea8f2ba053a6276095ecf3329bc9
SHA256ffae568b8df0e4ade5db934ac902d742f92fe40426306970d8b2080516ab327e
SHA5126684911c57a8e861c03d569b1c6ed4a18efb74595cd8706195b1aae583d19d05270a597234637a0abb74f34df5842b66dd50803c3365b78d57bc94a8e3145c9d