Overview

overview

10

Static

static

3

2025-02-12...ry.exe

windows7-x64

10

2025-02-12...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2025-02-12_bd78d4c9b56203f9e85b3760e6db8aa2_wannacry

  • Size

    3.6MB

  • Sample

    250212-ztzrqaylhs

  • MD5

    bd78d4c9b56203f9e85b3760e6db8aa2

  • SHA1

    aa07b022935f5c2c7efc55725bd8daf64dda84df

  • SHA256

    7142bb2046d9ee61c448712fd9e660bb4b7f5ad4e56bd39fdf5eab2be0a9328d

  • SHA512

    c4faa90d3282fd583a245485dec1d04cef15357608df8d703b6aa64d506dabf7a2aec3829c3e38354a06d7f433a3d5859615e4d1cb736c67f2fbb04ba2bdd781

  • SSDEEP

    98304:yDqPoBhz1aRxcSUDk36SAEdhvd3R8yAVp2AZx8:yDqPe1Cxcxk3ZAEhR8yc4A78

Score
10/10
wannacryadwarediscoverypersistenceprivilege_escalationransomwarestealerworm

Malware Config

Targets

    • Target

      2025-02-12_bd78d4c9b56203f9e85b3760e6db8aa2_wannacry

    • Size

      3.6MB

    • MD5

      bd78d4c9b56203f9e85b3760e6db8aa2

    • SHA1

      aa07b022935f5c2c7efc55725bd8daf64dda84df

    • SHA256

      7142bb2046d9ee61c448712fd9e660bb4b7f5ad4e56bd39fdf5eab2be0a9328d

    • SHA512

      c4faa90d3282fd583a245485dec1d04cef15357608df8d703b6aa64d506dabf7a2aec3829c3e38354a06d7f433a3d5859615e4d1cb736c67f2fbb04ba2bdd781

    • SSDEEP

      98304:yDqPoBhz1aRxcSUDk36SAEdhvd3R8yAVp2AZx8:yDqPe1Cxcxk3ZAEhR8yc4A78

    Score
    10/10
    wannacrydiscoveryransomwarewormadwarepersistenceprivilege_escalationstealer

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Wannacry family

      wannacry

    • Contacts a large (3045) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks