wannacry | ae78d50f80b03b2c8bab5a189f4af890ab753dd7cfc73494b0d22f44fac599b7

General

Target

9e0831bbad2cf01947e7bc48bb3e541e.exe
Size

3.6MB
MD5

9e0831bbad2cf01947e7bc48bb3e541e
SHA1

54da937e67ef0a839a12caff913fa6ff2e4bbc5d
SHA256

ae78d50f80b03b2c8bab5a189f4af890ab753dd7cfc73494b0d22f44fac599b7
SHA512

1e75525a893042dc8a8a38d7dd5c890742d16aa587f89b55ca7d584c8a59744c0569bb4321677af9d04a7a7f5abcb7e15969332064ac6b798a6c8feaf1eb219d
SSDEEP

49152:2nAQhMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:yDhPoBhz1aRxcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1165) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1752 tasksche.exe

pid	process
1752	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

9e0831bbad2cf01947e7bc48bb3e541e.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	9e0831bbad2cf01947e7bc48bb3e541e.exe

Drops file in Windows directory 1 IoCs

Processes:

9e0831bbad2cf01947e7bc48bb3e541e.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 9e0831bbad2cf01947e7bc48bb3e541e.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	9e0831bbad2cf01947e7bc48bb3e541e.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

9e0831bbad2cf01947e7bc48bb3e541e.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DFB1061-18D8-4C5B-9E8A-D57C335BBDDC}\WpadDecisionReason = "1"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DFB1061-18D8-4C5B-9E8A-D57C335BBDDC}\42-7a-8a-90-cc-0d	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-7a-8a-90-cc-0d\WpadDecision = "0"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DFB1061-18D8-4C5B-9E8A-D57C335BBDDC}\WpadNetworkName = "Network 3"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-7a-8a-90-cc-0d\WpadDecisionReason = "1"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	9e0831bbad2cf01947e7bc48bb3e541e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DFB1061-18D8-4C5B-9E8A-D57C335BBDDC}\WpadDecision = "0"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-7a-8a-90-cc-0d\WpadDecisionTime = 60802864b5bcd801	9e0831bbad2cf01947e7bc48bb3e541e.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	9e0831bbad2cf01947e7bc48bb3e541e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DFB1061-18D8-4C5B-9E8A-D57C335BBDDC}\WpadDecisionTime = 60802864b5bcd801	9e0831bbad2cf01947e7bc48bb3e541e.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	9e0831bbad2cf01947e7bc48bb3e541e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7DFB1061-18D8-4C5B-9E8A-D57C335BBDDC}	9e0831bbad2cf01947e7bc48bb3e541e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-7a-8a-90-cc-0d	9e0831bbad2cf01947e7bc48bb3e541e.exe

C:\Users\Admin\AppData\Local\Temp\9e0831bbad2cf01947e7bc48bb3e541e.exe
"C:\Users\Admin\AppData\Local\Temp\9e0831bbad2cf01947e7bc48bb3e541e.exe"
1⤵
- Drops file in Windows directory
PID:1248

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1752

C:\Users\Admin\AppData\Local\Temp\9e0831bbad2cf01947e7bc48bb3e541e.exe
C:\Users\Admin\AppData\Local\Temp\9e0831bbad2cf01947e7bc48bb3e541e.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:272

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
8335fd04836371943cc21abdff044dc8

SHA1
09291038edc5aef2e6a6d4a6c9657fd544fa529a

SHA256
746b1c39889681e4d2f2851249c5592ab11024b58167290589e2dea056de260f

SHA512
d7d5c214206aaeb662c907ad5218873264dfd1fde12070fdddd09d692b3e597b8de89afff704403d454fb74e1282ba1dd2b8e3b7239251e752e92363f84183a1

Download Submit
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing