Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-01-2025 12:33

General

  • Target

    2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe

  • Size

    5.0MB

  • MD5

    8219cada1ace7ec6535a3c45de6f94fa

  • SHA1

    b44b2714db03703f879239826fbf01750c69c2dc

  • SHA256

    f26b45006333f8f8c1b2efae5382077635a46e9eac4223ee6469bd908898928c

  • SHA512

    76fbc9c0f1873bb1b3f5c48917b83c666622eec9ab69e86246088dc2b018edada3092f74693d0a406542c46782bef3b98de1ee450f5e49f0dc0d2c5db1009e21

  • SSDEEP

    98304:yDqPoBhz1aRxcSUDk36SAEdhvxWas593R8yAVp2H:yDqPe1Cxcxk3ZAEUaszR8yc4H

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Wannacry family
  • Contacts a large (3297) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:216
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:5048
  • C:\Users\Admin\AppData\Local\Temp\2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe -m security
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:3552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    fcbc058eeab7fd8c9b6fe129eeff2c88

    SHA1

    101102dfea60d85d5f650d45ef17ab5f02ada179

    SHA256

    b4c9512ea0d78f7e41fa3b585484d080026a3599e931a4ce4939ea890cf5d411

    SHA512

    6f1a484d71cf9c1113c5d5e400d02f83b695076954d7e0b70630751a8e04d3672b0ef905baeb3a932f3288c88bdd425b5ed8679608e97e30b20ed6ca27820834