wannacry | 3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08

General

Target

3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Size

2.2MB
MD5

959bc5f8599a393677fb1f97e98abdc0
SHA1

3ae6020736489347c6ef4d0c187686b10b811c68
SHA256

3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08
SHA512

8e4d959ba8d31a0bd7df0012d60e147d50923d1aee8b1a1813f7207196469f025343c7a406fea1617b8c48d6a8e92309c93ce83e5515b56081b437f48bd6b2f9

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

392 tasksche.exe

pid	process
392	tasksche.exe

Drops file in System32 directory 3 IoCs

Processes:

3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\DAR5BCM8.txt	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\DAR5BCM8.txt	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe

Drops file in Windows directory 3 IoCs

Processes:

3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exetasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_259265315	tasksche.exe
File created	C:\Windows\eee.exe	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07000d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 6039e6d7ff49d701	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 6039e6d7ff49d701	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

tasksche.exe

pid process

392 tasksche.exe

pid	process
392	tasksche.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe

description	pid	process	target process
PID 1200 wrote to memory of 392	1200	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe	tasksche.exe
PID 1200 wrote to memory of 392	1200	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe	tasksche.exe
PID 1200 wrote to memory of 392	1200	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe	tasksche.exe
PID 1200 wrote to memory of 392	1200	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe	tasksche.exe
PID 1200 wrote to memory of 392	1200	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe	tasksche.exe
PID 1200 wrote to memory of 392	1200	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe	tasksche.exe
PID 1200 wrote to memory of 392	1200	3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe	tasksche.exe

C:\Users\Admin\AppData\Local\Temp\3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
"C:\Users\Admin\AppData\Local\Temp\3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1200

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
PID:392

C:\Users\Admin\AppData\Local\Temp\3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe
C:\Users\Admin\AppData\Local\Temp\3cc3123a3c419ec7c2a93c356c752baf42fd2e6e0400a1cd1da990be8eb65a08.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1552

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\tasksche.exe
MD5
b19741df9577126cd47234b7763b3689

SHA1
0df122b611ec0ab068f9d73fb30c24660a96c480

SHA256
48712ca6a9a8ba2b44b07b698474b0a51b899d97c307042f3e143d76d9acf29e

SHA512
d4182c66444ff212609ca7c68c6bdf765611ed9b8645d865785a171efb98633356df921598af824ccc49ef2970065503b1d86b7fba366335ced7e3309af0f90a

Download Submit
C:\Windows\tasksche.exe
MD5
b19741df9577126cd47234b7763b3689

SHA1
0df122b611ec0ab068f9d73fb30c24660a96c480

SHA256
48712ca6a9a8ba2b44b07b698474b0a51b899d97c307042f3e143d76d9acf29e

SHA512
d4182c66444ff212609ca7c68c6bdf765611ed9b8645d865785a171efb98633356df921598af824ccc49ef2970065503b1d86b7fba366335ced7e3309af0f90a

Download Submit
memory/392-61-0x0000000000000000-mapping.dmp

Download
memory/1200-59-0x00000000768B1000-0x00000000768B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads