Overview

overview

10

Static

static

3

2025-01-10...ry.exe

windows11-21h2-x64

10

Resubmissions

10-01-2025 17:20

250110-vwnp1ssran 10

10-01-2025 17:19

250110-vv8zkazqfs 10

10-01-2025 12:28

250110-pnsq4stqbx 10

Analysis

  • max time kernel
    900s
  • max time network
    901s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-01-2025 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-10_8f8fb40a1051d221d36afedc8e01a94b_wannacry.exe

  • Size

    5.0MB

  • MD5

    8f8fb40a1051d221d36afedc8e01a94b

  • SHA1

    c2fbcd7e704d3051afee7ea369fcf266cec28958

  • SHA256

    eda5198147ac32f805c96e13ef2681625916f368dd688c7db313c19f96d64652

  • SHA512

    fa4c2b88aaea9bd997867c50909b87e45a4deae2183105846df8b2733e808550b1961b1dc1cb003a1ec18fc03ff191b1525e3d564041c6698752279550505e2a

  • SSDEEP

    24576:QbLguriKyMSirYbcMNgezQeQjG/D8kIqp+vbOSSqTPV:QnGMSPbcBuQej/d+TSqTd

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (17255) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-10_8f8fb40a1051d221d36afedc8e01a94b_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-10_8f8fb40a1051d221d36afedc8e01a94b_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:3216
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 8
        3⤵
        • Program crash
        PID:1464
  • C:\Users\Admin\AppData\Local\Temp\2025-01-10_8f8fb40a1051d221d36afedc8e01a94b_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-10_8f8fb40a1051d221d36afedc8e01a94b_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4804
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3216 -ip 3216
    1⤵
      PID:2944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\tasksche.exe
      Filesize

      2.0MB

      MD5

      8928a762b7bdc027970816e7a7817fa5

      SHA1

      049c726beaf5fe48e6bcc692eb5c25eb47f80de5

      SHA256

      4a02699a917d73fd9988850972b8d96f4d2367874eada34557377cee807f2400

      SHA512

      0b398fe79a11d4180f21e14bdb49b2c691349bf188266b4509a82f89441303f64f4fc90cb5da4c4a5236e50e6f3866b29027ad9c544a15ad8b339bb2eae0aca0

      Download Submit