Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 03:23

General

  • Target

    2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe

  • Size

    375KB

  • MD5

    c491ae45d9eab9d9618e3d195ccb2051

  • SHA1

    bb2464e1d38a9ff6d9f3a5f2bf11332c34283d9b

  • SHA256

    0eb250fb3e19b4f424ca7b49841cdc56b3bb86cd5dfc47bb9da7551789d903e5

  • SHA512

    91d20879d1d9eb14fce307249accb6ae0192743b9b95352b5f503bd41d2a68a0ffc9ee28e6c81a806d27244f5309cbf629d2893b9e337722707da6208044f4b5

  • SSDEEP

    6144:XsLqdufVUNDafNEd5+IZiZhLlG4AimmC5:cFUNDaVI5+IZUhLlG4AvN

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Wannacry family
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:960
    • \??\c:\users\admin\appdata\local\temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 
      c:\users\admin\appdata\local\temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2152
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1028
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3624
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5112
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3100
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:808

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 

    Filesize

    240KB

    MD5

    7bf2b57f2a205768755c07f238fb32cc

    SHA1

    45356a9dd616ed7161a3b9192e2f318d0ab5ad10

    SHA256

    b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

    SHA512

    91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

  • C:\Windows\Resources\Themes\explorer.exe

    Filesize

    135KB

    MD5

    9dadb8ec05ec27f059600273ba2a4eb3

    SHA1

    51463caaaf16eb8e2238f235ab122763fc3d1ea5

    SHA256

    990dab6f8645df516ccf0ccad38feb85a988a88dda484a2b2b5f48166ee4d37b

    SHA512

    57dce391c92a4afb61dd635e07c65f1beb75ac53b88e2648a82437f2665a911a952992a88b55a5bb153b88b488d791c3f432ac3b01ad1cef7d5c448f8f8eeddf

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    ac874c6c3db51f6deec83330c1d5c0e8

    SHA1

    d47dd2155081b1a4d0628dcebfe478c339f4f1b0

    SHA256

    74ea09109516886ae186fe6a850dd77d01e0daa6b316aece7b008e8aaf3b3d96

    SHA512

    7a9be994f9a03c4bec73f2dd4fdb3bfecaf357f32e712bfca26b8e3e92b8ac73e7a21c545c317e55cefdc8f2d5be41a88c60a5f0168bb135e827a94a8b94c012

  • C:\Windows\Resources\spoolsv.exe

    Filesize

    135KB

    MD5

    35e20dd2f55b7db65c596f4e0e4a5815

    SHA1

    963a2235a324d4ca558f7c7c0d96da4e4b5252f7

    SHA256

    38367ce04530b7296ddd6ab14b143a54596e8cb64ada45616498dc58c236c032

    SHA512

    dc81792efad5479aec137f997308afb0bcc233b0af00ea23bcf6e4854e64b9467449625b8149b5354f5bc73b08b75b72f9df4659624b2ecf685a89ee8646a6d6

  • C:\Windows\Resources\svchost.exe

    Filesize

    135KB

    MD5

    98a316e51cd793624f81067af981039a

    SHA1

    68b2ffe186d5cf1a54705d09047e412e0b75b8b1

    SHA256

    c0c714cce6fb2fd2e5dd8935635dfc966891e15fed77db3824040bb89f8110bf

    SHA512

    7d075469bf3f46205bbea65eb7affa870a26663b8e830f806454d8121daf440bd92d3aeee0009235eb2bae19461945bc5a894b91eccf07c9cde1f17a20cbfc53

  • memory/808-44-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/960-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/960-46-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1028-47-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3100-49-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3624-48-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/5112-45-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB