wannacry | 0cff80224ebf4fc5779711665f8ec7aa40c3226ac129fe160ae05fb6cb29d2c3

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe
Size

3.9MB
MD5

d3ec9c82c9d78fae84247698d2420ac2
SHA1

4baacfd7be5711bd35f758781327a1dfd228542c
SHA256

0cff80224ebf4fc5779711665f8ec7aa40c3226ac129fe160ae05fb6cb29d2c3
SHA512

438d6239a782fe6734ece1aaa303aadaad8ff9156b9279b5435f2778b7e4bd107ef7447b406b5f0d4b09762e2cb021fe2ab81f10f2df634743422717accab7b2
SSDEEP

98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:Z8qPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2844	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1868
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2844

C:\Users\Admin\AppData\Local\Temp\2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-21_d3ec9c82c9d78fae84247698d2420ac2_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit