wannacry | c3afa515f5b594145699c0e55be85f72a18614fceb34def8587fc04fac5c2178

Analysis

max time kernel
162s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2022 19:38

Target

d3ec672641453f5c89df88d4f8406c2d.exe
Size

5.0MB
MD5

d3ec672641453f5c89df88d4f8406c2d
SHA1

04d830bea0adf586eb26b87169f60f86496d8524
SHA256

c3afa515f5b594145699c0e55be85f72a18614fceb34def8587fc04fac5c2178
SHA512

17697e8b1c1cea78b3dd10543bfa3cb29b4b0511af05a2745f339391854914192fc6b8763313933d4f11f59600d09eee3aec043d0dfc1e01592fbb21cd47fc37
SSDEEP

98304:yDqPoBhz1aRxcSUDk36SAEdhvxWaN593R8yAVp2H:yDqPe1Cxcxk3ZAEUaNzR8yc4H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3341) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1112 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 1 IoCs

Processes:

d3ec672641453f5c89df88d4f8406c2d.exe

description ioc process

File created C:\WINDOWS\tasksche.exe d3ec672641453f5c89df88d4f8406c2d.exe

pid	process
1112	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	d3ec672641453f5c89df88d4f8406c2d.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

d3ec672641453f5c89df88d4f8406c2d.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	d3ec672641453f5c89df88d4f8406c2d.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	d3ec672641453f5c89df88d4f8406c2d.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	d3ec672641453f5c89df88d4f8406c2d.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	d3ec672641453f5c89df88d4f8406c2d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	d3ec672641453f5c89df88d4f8406c2d.exe

C:\Users\Admin\AppData\Local\Temp\d3ec672641453f5c89df88d4f8406c2d.exe
"C:\Users\Admin\AppData\Local\Temp\d3ec672641453f5c89df88d4f8406c2d.exe"
1⤵
- Drops file in Windows directory
PID:1236

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1112

C:\Users\Admin\AppData\Local\Temp\d3ec672641453f5c89df88d4f8406c2d.exe
C:\Users\Admin\AppData\Local\Temp\d3ec672641453f5c89df88d4f8406c2d.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:4724

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9bba78cb86b7021eafc584a46d38bf14

SHA1
499621d587e43c32e89bd3e406f71dba048f09bc

SHA256
be6aff27c378fd6b83694b401b8c4e628114bd51221075ff3f21eb5e8ff6b7c4

SHA512
ee4eff0214674776a45ccd1f485c69a5a88b9a3e9b6e1732742275aeba4a99de1e1520501a47adbb9182ef8d18917e777c9ebc909aff6215724c263c2e7091ed

Download Submit