wannacry | d1784e9d5d0194db4f4c046016b55c6afbc7f947206681a4cb4d30dceb4ce990

General

Target

8525fc63e7c3e358d9772d3bb40370b7.exe
Size

3.6MB
MD5

8525fc63e7c3e358d9772d3bb40370b7
SHA1

0d1e25ec3de70f0e88ecee7214f2b9192f0b0f02
SHA256

d1784e9d5d0194db4f4c046016b55c6afbc7f947206681a4cb4d30dceb4ce990
SHA512

3eeca70748de7056d4d5467909d83c103a805ca8270153e07013e0b55a0dcf838694051753040216be69aa934a943f6880063c020fee4b8a22aeffc11a0717c2

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1716 tasksche.exe

pid	process
1716	tasksche.exe

Drops file in System32 directory 6 IoCs

Processes:

8525fc63e7c3e358d9772d3bb40370b7.exe8525fc63e7c3e358d9772d3bb40370b7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\363PBTA3.txt	8525fc63e7c3e358d9772d3bb40370b7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\363PBTA3.txt	8525fc63e7c3e358d9772d3bb40370b7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	8525fc63e7c3e358d9772d3bb40370b7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\CHA4Q3N1.txt	8525fc63e7c3e358d9772d3bb40370b7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\CHA4Q3N1.txt	8525fc63e7c3e358d9772d3bb40370b7.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	8525fc63e7c3e358d9772d3bb40370b7.exe

Drops file in Windows directory 1 IoCs

Processes:

8525fc63e7c3e358d9772d3bb40370b7.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 8525fc63e7c3e358d9772d3bb40370b7.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1196 1924 WerFault.exe 8525fc63e7c3e358d9772d3bb40370b7.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	8525fc63e7c3e358d9772d3bb40370b7.exe

pid	pid_target	process	target process
1196	1924	WerFault.exe	8525fc63e7c3e358d9772d3bb40370b7.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

8525fc63e7c3e358d9772d3bb40370b7.exe8525fc63e7c3e358d9772d3bb40370b7.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadNetworkName = "Network"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = d05dc52836d2d601	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\32-e2-17-db-d2-77	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadNetworkName = "Network"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionReason = "1"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecision = "0"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\32-e2-17-db-d2-77	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionTime = d05dc52836d2d601	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionReason = "1"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecisionTime = 30cbcee835d2d601	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6CD91550-F1B8-44A7-B169-07A502AE3F35}\WpadDecision = "0"	8525fc63e7c3e358d9772d3bb40370b7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30cbcee835d2d601	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	8525fc63e7c3e358d9772d3bb40370b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 30cbcee835d2d601	8525fc63e7c3e358d9772d3bb40370b7.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1196 WerFault.exe
1196 WerFault.exe
1196 WerFault.exe
1196 WerFault.exe
1196 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1196 WerFault.exe

pid	process
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe
1196	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1196	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

8525fc63e7c3e358d9772d3bb40370b7.exe

description	pid	process	target process
PID 1924 wrote to memory of 1196	1924	8525fc63e7c3e358d9772d3bb40370b7.exe	WerFault.exe
PID 1924 wrote to memory of 1196	1924	8525fc63e7c3e358d9772d3bb40370b7.exe	WerFault.exe
PID 1924 wrote to memory of 1196	1924	8525fc63e7c3e358d9772d3bb40370b7.exe	WerFault.exe
PID 1924 wrote to memory of 1196	1924	8525fc63e7c3e358d9772d3bb40370b7.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\8525fc63e7c3e358d9772d3bb40370b7.exe
"C:\Users\Admin\AppData\Local\Temp\8525fc63e7c3e358d9772d3bb40370b7.exe"
1⤵
- Drops file in Windows directory
PID:1120

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\8525fc63e7c3e358d9772d3bb40370b7.exe
C:\Users\Admin\AppData\Local\Temp\8525fc63e7c3e358d9772d3bb40370b7.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 1236
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Users\Admin\AppData\Local\Temp\8525fc63e7c3e358d9772d3bb40370b7.exe
C:\Users\Admin\AppData\Local\Temp\8525fc63e7c3e358d9772d3bb40370b7.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe
MD5
2a4bf4d6186cb788fca54807a562b5c2

SHA1
a6c64bf1000c66f6d51ca6c31aafba43625579bd

SHA256
d6f84f06a3969229fd5e21f0d01235fad36cd9b626cad7894a75d8b51191502d

SHA512
1b37e7b953c2ee75964d7f8b043f6d80ca939d1c1a0de91bfee691108cd0835f0b86e190be86d1ce485679ebaf279002a171a62abc92158634553439d1c8236a

Download Submit
memory/1196-4-0x0000000000000000-mapping.dmp

Download
memory/1196-5-0x0000000000BD0000-0x0000000000BE1000-memory.dmp

Filesize
68KB

Download
memory/1196-6-0x0000000000BD0000-0x0000000000BE1000-memory.dmp

Filesize
68KB

Download
memory/1196-9-0x0000000001230000-0x0000000001241000-memory.dmp

Filesize
68KB

Download
memory/1276-2-0x000007FEF7AA0000-0x000007FEF7D1A000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads