Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 03:23
Static task
static1
Behavioral task
behavioral1
Sample
2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe
-
Size
375KB
-
MD5
c491ae45d9eab9d9618e3d195ccb2051
-
SHA1
bb2464e1d38a9ff6d9f3a5f2bf11332c34283d9b
-
SHA256
0eb250fb3e19b4f424ca7b49841cdc56b3bb86cd5dfc47bb9da7551789d903e5
-
SHA512
91d20879d1d9eb14fce307249accb6ae0192743b9b95352b5f503bd41d2a68a0ffc9ee28e6c81a806d27244f5309cbf629d2893b9e337722707da6208044f4b5
-
SSDEEP
6144:XsLqdufVUNDafNEd5+IZiZhLlG4AimmC5:cFUNDaVI5+IZUhLlG4AvN
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Executes dropped EXE 6 IoCs
pid Process 2152 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 1028 icsys.icn.exe 3624 explorer.exe 5112 spoolsv.exe 3100 svchost.exe 808 spoolsv.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 1028 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3624 explorer.exe 3100 svchost.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 2152 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 2152 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 1028 icsys.icn.exe 1028 icsys.icn.exe 3624 explorer.exe 3624 explorer.exe 5112 spoolsv.exe 5112 spoolsv.exe 3100 svchost.exe 3100 svchost.exe 808 spoolsv.exe 808 spoolsv.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 960 wrote to memory of 2152 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 83 PID 960 wrote to memory of 2152 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 83 PID 960 wrote to memory of 2152 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 83 PID 960 wrote to memory of 1028 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 84 PID 960 wrote to memory of 1028 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 84 PID 960 wrote to memory of 1028 960 2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe 84 PID 1028 wrote to memory of 3624 1028 icsys.icn.exe 85 PID 1028 wrote to memory of 3624 1028 icsys.icn.exe 85 PID 1028 wrote to memory of 3624 1028 icsys.icn.exe 85 PID 3624 wrote to memory of 5112 3624 explorer.exe 86 PID 3624 wrote to memory of 5112 3624 explorer.exe 86 PID 3624 wrote to memory of 5112 3624 explorer.exe 86 PID 5112 wrote to memory of 3100 5112 spoolsv.exe 87 PID 5112 wrote to memory of 3100 5112 spoolsv.exe 87 PID 5112 wrote to memory of 3100 5112 spoolsv.exe 87 PID 3100 wrote to memory of 808 3100 svchost.exe 88 PID 3100 wrote to memory of 808 3100 svchost.exe 88 PID 3100 wrote to memory of 808 3100 svchost.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:960 -
\??\c:\users\admin\appdata\local\temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exec:\users\admin\appdata\local\temp\2024-12-18_c491ae45d9eab9d9618e3d195ccb2051_swisyn_wannacry.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2152
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3624 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:808
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
135KB
MD59dadb8ec05ec27f059600273ba2a4eb3
SHA151463caaaf16eb8e2238f235ab122763fc3d1ea5
SHA256990dab6f8645df516ccf0ccad38feb85a988a88dda484a2b2b5f48166ee4d37b
SHA51257dce391c92a4afb61dd635e07c65f1beb75ac53b88e2648a82437f2665a911a952992a88b55a5bb153b88b488d791c3f432ac3b01ad1cef7d5c448f8f8eeddf
-
Filesize
135KB
MD5ac874c6c3db51f6deec83330c1d5c0e8
SHA1d47dd2155081b1a4d0628dcebfe478c339f4f1b0
SHA25674ea09109516886ae186fe6a850dd77d01e0daa6b316aece7b008e8aaf3b3d96
SHA5127a9be994f9a03c4bec73f2dd4fdb3bfecaf357f32e712bfca26b8e3e92b8ac73e7a21c545c317e55cefdc8f2d5be41a88c60a5f0168bb135e827a94a8b94c012
-
Filesize
135KB
MD535e20dd2f55b7db65c596f4e0e4a5815
SHA1963a2235a324d4ca558f7c7c0d96da4e4b5252f7
SHA25638367ce04530b7296ddd6ab14b143a54596e8cb64ada45616498dc58c236c032
SHA512dc81792efad5479aec137f997308afb0bcc233b0af00ea23bcf6e4854e64b9467449625b8149b5354f5bc73b08b75b72f9df4659624b2ecf685a89ee8646a6d6
-
Filesize
135KB
MD598a316e51cd793624f81067af981039a
SHA168b2ffe186d5cf1a54705d09047e412e0b75b8b1
SHA256c0c714cce6fb2fd2e5dd8935635dfc966891e15fed77db3824040bb89f8110bf
SHA5127d075469bf3f46205bbea65eb7affa870a26663b8e830f806454d8121daf440bd92d3aeee0009235eb2bae19461945bc5a894b91eccf07c9cde1f17a20cbfc53