Overview

overview

10

Static

static

3

2025-02-03...ry.exe

windows7-x64

10

2025-02-03...ry.exe

windows10-2004-x64

10

Resubmissions

03-02-2025 04:35

250203-e7wxrsslej 10

03-02-2025 02:39

250203-c5gzqaxkdy 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2025 02:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe

  • Size

    2.2MB

  • MD5

    211d3c5f37a5b13a27dc0ccfe5a41168

  • SHA1

    6dad34d736943e645845c21a14666337da5fc6ce

  • SHA256

    805bc4fd54475d93b3811aeb32f2c761f46d52168507f3a0688d231ea117915e

  • SHA512

    2886b97c9a25cdbe443f49944fe50453742592fc501395221c4b4f5feeebe4f5b1df92de2fc8b91df67b84377fea3b428168c2a0a3d04e2d2a64efa9bf16e87b

  • SSDEEP

    12288:e1bLgmluCti62gaIMu7LocQhfYNvrTcbckPU82900Ve7zw+K+DHeQYSUjEXF:QbLguriXd5cQdIvrYbcMNgef0QeQj

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (3241) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2324
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 224
        3⤵
        • Program crash
        PID:516
  • C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
    C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2304

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe
    Filesize

    2.0MB

    MD5

    81eae535f1bd00964645080809077b55

    SHA1

    9f3e1329142afb5ef9ba9e85b800876ed630eb30

    SHA256

    cc63f36dc17a0a98aa80e296f467cda6a1e0771e8d1b224efe524b532e7bc3dc

    SHA512

    d53e2095b46f65cbd55a85f1b594dcdba95188156e322340bd39235369f20536bc857f8f81b1e9c8d7321f1ba991d798ead95b067b0547e6ed41cdccd8bef704

    Download Submit