Overview

overview

10

Static

static

3

2024-12-16...ry.exe

windows7-x64

10

2024-12-16...ry.exe

windows10-2004-x64

10

2024-12-16...ry.exe

windows10-ltsc 2021-x64

10

2024-12-16...ry.exe

windows11-21h2-x64

10

Resubmissions

16-12-2024 12:21

241216-pjry1szpay 10

16-12-2024 12:18

241216-pg2qfaznf1 10

16-12-2024 12:06

241216-n93b1a1kcr 10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 12:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe

  • Size

    5.0MB

  • MD5

    ca4ce7114be6f14792cc77f2997fc7e6

  • SHA1

    f4ca2bdcaed8ccaf20536cdfce85b338b74ebf19

  • SHA256

    b6e0541f88b2f91f92b7bcb4928db794f406e822802b1516b804fb1e2933e75e

  • SHA512

    d92e534f9ca67397fc17b9b67dd7e3fcca3d8be81d8e4d6f6da5ccc2dd6bb47ac5aef3f78ab274b1a08ca70e2db0dff8944e0e9a0e85eb657b09bfeac3f1864c

  • SSDEEP

    12288:GwbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcbckP:VbLgdeQhfdmMSirYbc

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (3272) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 27 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:292
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2236
  • C:\Users\Admin\AppData\Local\Temp\2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2024-12-16_ca4ce7114be6f14792cc77f2997fc7e6_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1512
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2984
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Videos\Sample Videos\Wildlife.wmv"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2416
    • C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\DisconnectSwitch.m4a"
      1⤵
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\vlc\ml.xspf
      Filesize

      304B

      MD5

      781602441469750c3219c8c38b515ed4

      SHA1

      e885acd1cbd0b897ebcedbb145bef1c330f80595

      SHA256

      81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

      SHA512

      2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

      Download Submit

    • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
      Filesize

      559B

      MD5

      f098f26ff51b479920dee6458498b7fa

      SHA1

      dff621850c4b0fc445eac9ca36339a14999c8ced

      SHA256

      ba10bfaaff58158bacd1f852e408d1f47a35f3ab10424f26a6fa47601e8892f4

      SHA512

      ddd3516826daeaa8a36644c839cd36dada6a11ec7aebd0770b5e12abe8fa211f669e6e435b6e8b58babc6c51d4562a5bb142c2fb78d634cce6095a279b6b2255

      Download Submit

    • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
      Filesize

      660B

      MD5

      bf51efcf7ac3c93c224fe11704dfe709

      SHA1

      fdb485e5b63de0250aeace01da84f36c74b497b7

      SHA256

      999739ca4290405737220d2697a8e020d83076adf9627c1230dcfef76772afef

      SHA512

      5c772ba5d69a9af4b09055613861c5569bdc00cef72520ed03d3cbe2a1dd0fc68d93e7c20005cbb980669dc783c88f1a86062f10e21b52fd04b6c414838c554b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
      Filesize

      18B

      MD5

      e128ac0000273b1f78d9970bc94c016c

      SHA1

      082e15b8befb6e0f14c89d2216a3b5cef2703720

      SHA256

      cda0d23efd49e20c428ce713e776a51ee3b29f2ab740efe499ef94f4e31d9119

      SHA512

      7b54ac769c76981c27c5d15d9a44356f3d2214857a5556f096354ea83e3c0cb6e6a2a0dabc536a7f2bb829a6d70dbdb11bb701ddc1bd21fcb84ff40557916f3a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\vlc\vlcrc
      Filesize

      94KB

      MD5

      7b37c4f352a44c8246bf685258f75045

      SHA1

      817dacb245334f10de0297e69c98b4c9470f083e

      SHA256

      ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

      SHA512

      1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

      Download Submit

    • C:\Windows\tasksche.exe
      Filesize

      3.4MB

      MD5

      d7eb5e5aab394f614ec0288046e790d0

      SHA1

      0dbb29a44164554d592fb699d77feeda780bec0c

      SHA256

      ec0bfa7cc2780afbf1138d9d3c0dd9dd789f61ba6823acfee46de77b31f5202e

      SHA512

      d912195f0f64a83216c4932f5f72219b55abbffa83c29d7a005b0305fc48dbbc17b2da773bbfcbdf0364196aa4655a4b599c7670448cfce551e48186bc91733b

      Download Submit

    • memory/2416-24-0x000007FEF3990000-0x000007FEF4A40000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/2416-23-0x000007FEF4BD0000-0x000007FEF4E86000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/2416-21-0x000000013FD30000-0x000000013FE28000-memory.dmp

      Filesize

      992KB

      Download

    • memory/2416-22-0x000007FEF5EB0000-0x000007FEF5EE4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2708-57-0x000007FEF6A60000-0x000007FEF6A94000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2708-56-0x000000013F630000-0x000000013F728000-memory.dmp

      Filesize

      992KB

      Download

    • memory/2708-58-0x000007FEF43F0000-0x000007FEF46A6000-memory.dmp

      Filesize

      2.7MB

      Download

    • memory/2708-59-0x000007FEF3CA0000-0x000007FEF3DAE000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2708-60-0x000007FEF2B70000-0x000007FEF3C20000-memory.dmp

      Filesize

      16.7MB

      Download