wannacry | bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3

Analysis

Target

bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe
Size

2.2MB
MD5

6bfa175e3cbd626ef26394826edb0fdf
SHA1

5baaa75467b69d3ead87a6123512e56d78377940
SHA256

bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3
SHA512

70bffc468c6aae80ddf98c1e54097b3a3e1278c7fa118b28d4116ba95a1d769b4d622586d946b7ec62002539bf0915badeaeb164e0419c5e618262fbb3c432f6

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2562) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 1 IoCs

Processes:

bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe

description ioc process

File created C:\WINDOWS\tasksche.exe bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe

C:\Users\Admin\AppData\Local\Temp\bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe
"C:\Users\Admin\AppData\Local\Temp\bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe"
1⤵
- Drops file in Windows directory
PID:792

C:\Users\Admin\AppData\Local\Temp\bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe
C:\Users\Admin\AppData\Local\Temp\bd3e9d2bd72e399554ba0588778b179e94c3179f7ff32b9c7cdd542731247ff3.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:4700

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact