wannacry | bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26

General

Target

bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Size

3.6MB
MD5

1b050ebe031393a42ee9538199419589
SHA1

bde576ee3b9b90cfb261d4e13677dc24d526e7f2
SHA256

bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26
SHA512

284396f7da48830750342eeda2439428152946c727a1c4da4af203e9006e570e7d8f11906b636f3cbf5af790a26a54cb6d7d44583bd0e89fe6b878cd5afb9409

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1744 tasksche.exe

pid	process
1744	tasksche.exe

Drops file in System32 directory 2 IoCs

Processes:

bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exebbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

Drops file in Windows directory 1 IoCs

Processes:

bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

description ioc process

File created C:\WINDOWS\tasksche.exe bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1176 1800 WerFault.exe bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

pid	pid_target	process	target process
1176	1800	WerFault.exe	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exebbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070029000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 309669784049d701	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 309669784049d701	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 308179aa4049d701	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070029000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070029000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 308179aa4049d701	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 309669784049d701	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDetectedUrl	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1176 WerFault.exe
1176 WerFault.exe
1176 WerFault.exe
1176 WerFault.exe
1176 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1176 WerFault.exe

pid	process
1176	WerFault.exe
1176	WerFault.exe
1176	WerFault.exe
1176	WerFault.exe
1176	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1176	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe

description	pid	process	target process
PID 1800 wrote to memory of 1176	1800	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe	WerFault.exe
PID 1800 wrote to memory of 1176	1800	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe	WerFault.exe
PID 1800 wrote to memory of 1176	1800	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe	WerFault.exe
PID 1800 wrote to memory of 1176	1800	bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
"C:\Users\Admin\AppData\Local\Temp\bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe"
1⤵
- Drops file in Windows directory
PID:1208

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Temp\bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
C:\Users\Admin\AppData\Local\Temp\bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1096
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Users\Admin\AppData\Local\Temp\bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe
C:\Users\Admin\AppData\Local\Temp\bbf798ec1223e2b20f0d646682aeb90e02f1f7b1b9b7ad5d430843f38a7e8f26.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe
MD5
0be1393c5d427ee17e120e026b79f144

SHA1
6b6b72479cd2cb26b664d5c7e76d5f103b4eb8ae

SHA256
61bcd56d40e68126c3e24b5e067730ebead13fcc1ae0b344a63fc42624102c3a

SHA512
179cfdb9bb52b6ed977cb3e992a0b2d2acc7ee37ce560f7e68c9358e2c6cbbb4d45f35751a940fb86da7906a7fc132d50ffee0d6672a1d592a0c74bc0f7d3182

Download Submit
memory/1176-62-0x0000000000000000-mapping.dmp

Download
memory/1208-59-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads