wannacry | c4864b9cd0e9d0cf393b0da8126ba7928c3e1a2f7dc2bfdaf463086c1a079b6e

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 21:34

Target

1660afa6704de7febc3a0d177aa2ed1e.exe
Size

3.6MB
MD5

1660afa6704de7febc3a0d177aa2ed1e
SHA1

fa4804674193a4c9a5b55fbf9aea55d060e7a7c5
SHA256

c4864b9cd0e9d0cf393b0da8126ba7928c3e1a2f7dc2bfdaf463086c1a079b6e
SHA512

8733e67795ba1ab89190b3dba8cf545ec48c61ef5062bcc8782e8e1ff523314bcd47e06858bf808310debb10163922b39f448ab75c8b6e9e1a140d15b512b602
SSDEEP

49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhn:yDqPoBhz1aRxcSUDk36SAEdh

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3367) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1104 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 1 IoCs

Processes:

1660afa6704de7febc3a0d177aa2ed1e.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 1660afa6704de7febc3a0d177aa2ed1e.exe

pid	process
1104	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	1660afa6704de7febc3a0d177aa2ed1e.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

1660afa6704de7febc3a0d177aa2ed1e.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	1660afa6704de7febc3a0d177aa2ed1e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	1660afa6704de7febc3a0d177aa2ed1e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	1660afa6704de7febc3a0d177aa2ed1e.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	1660afa6704de7febc3a0d177aa2ed1e.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	1660afa6704de7febc3a0d177aa2ed1e.exe

C:\Users\Admin\AppData\Local\Temp\1660afa6704de7febc3a0d177aa2ed1e.exe
"C:\Users\Admin\AppData\Local\Temp\1660afa6704de7febc3a0d177aa2ed1e.exe"
1⤵
- Drops file in Windows directory
PID:4244

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1104

C:\Users\Admin\AppData\Local\Temp\1660afa6704de7febc3a0d177aa2ed1e.exe
C:\Users\Admin\AppData\Local\Temp\1660afa6704de7febc3a0d177aa2ed1e.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:3344

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
ac285f64f82f836e71377a718bb9c1b2

SHA1
4e79e15422ac6bb13e80c086c16c3aef19afd86a

SHA256
ead37781b7d1fc2ac063d4876a0e0b8db6f7c3364c16d9f72bc1ad95b4685c8e

SHA512
7faccc80bf5af6152c0e42746632c45e71e0fa4edbbf495e200c604ba0fe6808956af3d31270ac444e74bbd996f9a81a43edbbb69b8f6873bfba801fe178ccfa

Download Submit