wannacry | 9a249d31392333f4faa684f6148902a9b55ecb8e3a07b3a47a0dcc29f4fa95a4

General

Target

bcfcf660f0dcba55f56b35e589ce7c72.exe
Size

5.0MB
MD5

bcfcf660f0dcba55f56b35e589ce7c72
SHA1

0ebacf5b1ac3adec1d555630cbe9fa0c4db54c52
SHA256

9a249d31392333f4faa684f6148902a9b55ecb8e3a07b3a47a0dcc29f4fa95a4
SHA512

678a7e25e063f5736c91fd94b7b1939ec9f3a43dca0794fd275820897fe8c1113c84e2d4221a22d3919ac2a38838befc2313d99489d618de3f6b867cdd3dcae9

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Drops file in System32 directory 6 IoCs

Processes:

bcfcf660f0dcba55f56b35e589ce7c72.exebcfcf660f0dcba55f56b35e589ce7c72.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6ORWYNJN.txt	bcfcf660f0dcba55f56b35e589ce7c72.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	bcfcf660f0dcba55f56b35e589ce7c72.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\IOI23XUU.txt	bcfcf660f0dcba55f56b35e589ce7c72.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\IOI23XUU.txt	bcfcf660f0dcba55f56b35e589ce7c72.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	bcfcf660f0dcba55f56b35e589ce7c72.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\6ORWYNJN.txt	bcfcf660f0dcba55f56b35e589ce7c72.exe

Drops file in Windows directory 1 IoCs

Processes:

bcfcf660f0dcba55f56b35e589ce7c72.exe

description ioc process

File created C:\WINDOWS\tasksche.exe bcfcf660f0dcba55f56b35e589ce7c72.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1712 1760 WerFault.exe bcfcf660f0dcba55f56b35e589ce7c72.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	bcfcf660f0dcba55f56b35e589ce7c72.exe

pid	pid_target	process	target process
1712	1760	WerFault.exe	bcfcf660f0dcba55f56b35e589ce7c72.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

bcfcf660f0dcba55f56b35e589ce7c72.exebcfcf660f0dcba55f56b35e589ce7c72.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30d4476234d2d601	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30d4476234d2d601	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network"	bcfcf660f0dcba55f56b35e589ce7c72.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070057000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 9058d9a034d2d601	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 9058d9a034d2d601	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 30d4476234d2d601	bcfcf660f0dcba55f56b35e589ce7c72.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0"	bcfcf660f0dcba55f56b35e589ce7c72.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1712 WerFault.exe
1712 WerFault.exe
1712 WerFault.exe
1712 WerFault.exe
1712 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1712 WerFault.exe

pid	process
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe
1712	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1712	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bcfcf660f0dcba55f56b35e589ce7c72.exe

description	pid	process	target process
PID 1760 wrote to memory of 1712	1760	bcfcf660f0dcba55f56b35e589ce7c72.exe	WerFault.exe
PID 1760 wrote to memory of 1712	1760	bcfcf660f0dcba55f56b35e589ce7c72.exe	WerFault.exe
PID 1760 wrote to memory of 1712	1760	bcfcf660f0dcba55f56b35e589ce7c72.exe	WerFault.exe
PID 1760 wrote to memory of 1712	1760	bcfcf660f0dcba55f56b35e589ce7c72.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bcfcf660f0dcba55f56b35e589ce7c72.exe
"C:\Users\Admin\AppData\Local\Temp\bcfcf660f0dcba55f56b35e589ce7c72.exe"
1⤵
- Drops file in Windows directory
PID:1408

C:\Users\Admin\AppData\Local\Temp\bcfcf660f0dcba55f56b35e589ce7c72.exe
C:\Users\Admin\AppData\Local\Temp\bcfcf660f0dcba55f56b35e589ce7c72.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 1312
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Local\Temp\bcfcf660f0dcba55f56b35e589ce7c72.exe
C:\Users\Admin\AppData\Local\Temp\bcfcf660f0dcba55f56b35e589ce7c72.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1200-2-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp

Filesize
2.5MB

Download
memory/1712-3-0x0000000000000000-mapping.dmp

Download
memory/1712-4-0x0000000000900000-0x0000000000911000-memory.dmp

Filesize
68KB

Download
memory/1712-5-0x0000000000900000-0x0000000000911000-memory.dmp

Filesize
68KB

Download
memory/1712-8-0x00000000012E0000-0x00000000012F1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads