Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-01-2025 12:33
Static task
static1
Behavioral task
behavioral1
Sample
2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe
Resource
win10v2004-20241007-en
General
-
Target
2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe
-
Size
5.0MB
-
MD5
8219cada1ace7ec6535a3c45de6f94fa
-
SHA1
b44b2714db03703f879239826fbf01750c69c2dc
-
SHA256
f26b45006333f8f8c1b2efae5382077635a46e9eac4223ee6469bd908898928c
-
SHA512
76fbc9c0f1873bb1b3f5c48917b83c666622eec9ab69e86246088dc2b018edada3092f74693d0a406542c46782bef3b98de1ee450f5e49f0dc0d2c5db1009e21
-
SSDEEP
98304:yDqPoBhz1aRxcSUDk36SAEdhvxWas593R8yAVp2H:yDqPe1Cxcxk3ZAEUaszR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 5048 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe 2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:216 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:5048
-
-
C:\Users\Admin\AppData\Local\Temp\2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exeC:\Users\Admin\AppData\Local\Temp\2025-01-17_8219cada1ace7ec6535a3c45de6f94fa_wannacry.exe -m security1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5fcbc058eeab7fd8c9b6fe129eeff2c88
SHA1101102dfea60d85d5f650d45ef17ab5f02ada179
SHA256b4c9512ea0d78f7e41fa3b585484d080026a3599e931a4ce4939ea890cf5d411
SHA5126f1a484d71cf9c1113c5d5e400d02f83b695076954d7e0b70630751a8e04d3672b0ef905baeb3a932f3288c88bdd425b5ed8679608e97e30b20ed6ca27820834