wannacry | 53acd0c786ccca6160ab4b9402b53c82612d988505348f1946376c6404efbc49

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fix.exe
Size

578KB
MD5

fe1bbd253c6e02e7a95d825d91a0c544
SHA1

dd1176fb78bae40fdfd2d33bb1c11ea30e15735e
SHA256

53acd0c786ccca6160ab4b9402b53c82612d988505348f1946376c6404efbc49
SHA512

e451f5df1c7868037e265263b4e8d69609018f7ac26877b5a87cffaaf00635d6639aa253de4a4e3b50f8750d751cc57e1b1fafd06077ed1ea696ef0852195df7
SSDEEP

12288:/mquC3hOcjcHU8wr3azBzS+gGJM3tBSEpfV/UbFw2WGVG+:/mEoDJMLpfVq3VG

Score

10^/10

wannacry xworm discovery execution persistence ransomware rat trojan worm

Malware Config

Extracted

Family

xworm

php-saver.gl.at.ply.gg:7031

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/memory/2244-16-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2244-13-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2244-11-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2244-8-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/2244-7-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
2660	powershell.exe
3068	powershell.exe
1676	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	fix.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	fix.exe

Executes dropped EXE 1 IoCs

pid	Process
1788	qqdqqn.exe

Loads dropped DLL 2 IoCs

pid	Process
2244	fix.exe
2244	fix.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\666999666 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fix.exe"	fix.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\svchost.exe"	fix.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3056 set thread context of 2244	3056	fix.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qqdqqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2124	powershell.exe
2660	powershell.exe
3068	powershell.exe
1676	powershell.exe
2244	fix.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	fix.exe
Token: SeDebugPrivilege	2244	fix.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2244	fix.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2244	fix.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 3056 wrote to memory of 2244	3056	fix.exe	30
PID 2244 wrote to memory of 2124	2244	fix.exe	31
PID 2244 wrote to memory of 2124	2244	fix.exe	31
PID 2244 wrote to memory of 2124	2244	fix.exe	31
PID 2244 wrote to memory of 2124	2244	fix.exe	31
PID 2244 wrote to memory of 2660	2244	fix.exe	33
PID 2244 wrote to memory of 2660	2244	fix.exe	33
PID 2244 wrote to memory of 2660	2244	fix.exe	33
PID 2244 wrote to memory of 2660	2244	fix.exe	33
PID 2244 wrote to memory of 3068	2244	fix.exe	35
PID 2244 wrote to memory of 3068	2244	fix.exe	35
PID 2244 wrote to memory of 3068	2244	fix.exe	35
PID 2244 wrote to memory of 3068	2244	fix.exe	35
PID 2244 wrote to memory of 1676	2244	fix.exe	37
PID 2244 wrote to memory of 1676	2244	fix.exe	37
PID 2244 wrote to memory of 1676	2244	fix.exe	37
PID 2244 wrote to memory of 1676	2244	fix.exe	37
PID 2244 wrote to memory of 1788	2244	fix.exe	41
PID 2244 wrote to memory of 1788	2244	fix.exe	41
PID 2244 wrote to memory of 1788	2244	fix.exe	41
PID 2244 wrote to memory of 1788	2244	fix.exe	41

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\fix.exe
  "C:\Users\Admin\AppData\Local\Temp\fix.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fix.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fix.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\qqdqqn.exe
    "C:\Users\Admin\AppData\Local\Temp\qqdqqn.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqdqqn.exe

Filesize
1024KB

MD5
8df6fbeed45538256e08b8ac6e849d86

SHA1
dcbed55f186f0dc8057aeb961dda4abd465b551f

SHA256
d38716a81c8a9930b8d41e706eeb52ed54a0dbf39e143df3cd67f7bccbd6d159

SHA512
2a7c45939daaf52163d706308aff5a9898cb05cf75b4d7486b53b61c48dc45b6a89521c4aff3b450224b03d2e86b7ad7f13dc9dccfca9862c75fdc061efc0011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cec27e36dcf11549bc4126b644d8987c

SHA1
6c1525ee7ddc828df5f5751501c37b1f00ed9544

SHA256
5baa5af0a176e1d3fffb928bf2984fc681736220cfa5a79a8f312387a34160d7

SHA512
e6f11cb5355efe89355c0cb4899a0d9ccd81760276c5199790fc1127685f45cdcc10b0337588e7013085debd74639ad585880d81834ef080387dfb91cb7a8434

Download Submit
\Users\Admin\AppData\Local\Temp\qqdqqn.exe

Filesize
2.9MB

MD5
4ba20bf9f5e0cc01570bf002686a68b6

SHA1
febd75fbc1555e31ba21a14b6b1f52a5f8cd61ac

SHA256
e185bdfcd262429b67fda53737519eb9e41180e72d76faaf5bc0f03c31b5c9cf

SHA512
bb35958754b976f0e0c1a11ec5a4bc726b7e27d73a1609e9992c8426c94ca65591495a1636aeb558b36891b9af74860c9d27265d1d029defff33e84a4d50b307

Download Submit
\Users\Admin\svchost.exe

Filesize
578KB

MD5
fe1bbd253c6e02e7a95d825d91a0c544

SHA1
dd1176fb78bae40fdfd2d33bb1c11ea30e15735e

SHA256
53acd0c786ccca6160ab4b9402b53c82612d988505348f1946376c6404efbc49

SHA512
e451f5df1c7868037e265263b4e8d69609018f7ac26877b5a87cffaaf00635d6639aa253de4a4e3b50f8750d751cc57e1b1fafd06077ed1ea696ef0852195df7

Download Submit
memory/2244-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2244-44-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2244-18-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2244-13-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-11-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-5-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-8-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-7-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-16-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-36-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2244-3-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2244-42-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/2244-43-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-17-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/3056-2-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

Filesize
4KB

Download
memory/3056-1-0x0000000001180000-0x0000000001216000-memory.dmp

Filesize
600KB

Download