wannacry | de1d9df9bc22aadc49fac4585339f7cafa4f82d53065c41720752fbd5e77092b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe
Size

5.0MB
MD5

d58831eed091ad3b9557050ca17938da
SHA1

0b2b888225ee436e0b31f6c6592f6eeb4640900e
SHA256

de1d9df9bc22aadc49fac4585339f7cafa4f82d53065c41720752fbd5e77092b
SHA512

652c7db33a616c9834c84e5816f7ff6ffbb7a129b3de0e61aa5cf7f3ac3cd1f89132616177e90488fad2fee8acf4b4091ca8f7cd043fce5e0ac2fcd74059e96a
SSDEEP

6144:GE9l9yNqIYVTH5DgSg8ajldktM0XXrs2QhM:GwbLgPluxQhM

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
4652	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3476	4652	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 4652	732	2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe	84
PID 732 wrote to memory of 4652	732	2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe	84
PID 732 wrote to memory of 4652	732	2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe	84

C:\Users\Admin\AppData\Local\Temp\2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:732
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 220
    3⤵
    - Program crash
    PID:3476

C:\Users\Admin\AppData\Local\Temp\2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-28_d58831eed091ad3b9557050ca17938da_wannacry.exe -m security
1⤵
- System Location Discovery: System Language Discovery
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4652 -ip 4652
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
6e4ab0a491a0001608102434facbbeb2

SHA1
bdde6d2b0ee5fb783a668d0de32dbe6588c81037

SHA256
c6db24824ccf6398d19280283a128da90af8ed1792a15639f6bc707e5e5bda6f

SHA512
657e398bee01323ece3c360f99a2dcdce1e6d954107b5b9fd5639c20a9e58d546c24dbf2c5118d9722239b51a2e3e65726762c00f0f93c89cad280c6d560529d

Download Submit