Resubmissions
16-12-2024 12:21
241216-pjry1szpay 1016-12-2024 12:18
241216-pg2qfaznf1 1016-12-2024 12:06
241216-n93b1a1kcr 10Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 12:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe
-
Size
5.0MB
-
MD5
ca4ce7114be6f14792cc77f2997fc7e6
-
SHA1
f4ca2bdcaed8ccaf20536cdfce85b338b74ebf19
-
SHA256
b6e0541f88b2f91f92b7bcb4928db794f406e822802b1516b804fb1e2933e75e
-
SHA512
d92e534f9ca67397fc17b9b67dd7e3fcca3d8be81d8e4d6f6da5ccc2dd6bb47ac5aef3f78ab274b1a08ca70e2db0dff8944e0e9a0e85eb657b09bfeac3f1864c
-
SSDEEP
12288:GwbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcbckP:VbLgdeQhfdmMSirYbc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3312) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 1144 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1800 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:1144
-
-
C:\Users\Admin\AppData\Local\Temp\2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
PID:3992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5d7eb5e5aab394f614ec0288046e790d0
SHA10dbb29a44164554d592fb699d77feeda780bec0c
SHA256ec0bfa7cc2780afbf1138d9d3c0dd9dd789f61ba6823acfee46de77b31f5202e
SHA512d912195f0f64a83216c4932f5f72219b55abbffa83c29d7a005b0305fc48dbbc17b2da773bbfcbdf0364196aa4655a4b599c7670448cfce551e48186bc91733b