wannacry | 194dd7372ab80502948532d6f99a461b5c6d98c34438d0b2618e2385c44ffde7

Analysis

max time kernel
161s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 19:50

Target

b562c6ed92797b8227b94d4f6aed36dd.exe
Size

3.6MB
MD5

b562c6ed92797b8227b94d4f6aed36dd
SHA1

9c3bf8ecc5e2422ae51fe671b24281959b3d6bb3
SHA256

194dd7372ab80502948532d6f99a461b5c6d98c34438d0b2618e2385c44ffde7
SHA512

66e6ae549cdf4056096d0afb8de77ffe716ff75c411abc5b1be06c043250b9491fee766fa8668d8f51dc3b5ddc9fa2027434a3317f6d9b64d4af1cc0eea6d7a3
SSDEEP

49152:2nAQqMSPbcBVQej/i9MFyQTBlVPkn/RqqoQdEau3R8yAH1plAHI:yDqPoBhzi9tQLkn/REN3R8yAVp2HI

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3006) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

4136 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 1 IoCs

Processes:

b562c6ed92797b8227b94d4f6aed36dd.exe

description ioc process

File created C:\WINDOWS\tasksche.exe b562c6ed92797b8227b94d4f6aed36dd.exe

pid	process
4136	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	b562c6ed92797b8227b94d4f6aed36dd.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

b562c6ed92797b8227b94d4f6aed36dd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	b562c6ed92797b8227b94d4f6aed36dd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	b562c6ed92797b8227b94d4f6aed36dd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	b562c6ed92797b8227b94d4f6aed36dd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	b562c6ed92797b8227b94d4f6aed36dd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	b562c6ed92797b8227b94d4f6aed36dd.exe

C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe
"C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe"
1⤵
- Drops file in Windows directory
PID:4784

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:4136

C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe
C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:3480

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
35d068c0d4e64720648dc40b64344412

SHA1
ae4b9c1fe950e6ec0d2531806b92c699d7a9a2ae

SHA256
cf119ef88df787c995341c0204bf3c6a50ada1c04b5737197710dcfa5a101c4f

SHA512
61ea9f3959ea0b5dff1ab7520bc609e844fa3a7fca9c8b63dfe5d62f5d63709dc0e5e03c182259504177d4e9272dc16d94b9ea5b4a36148c4c7b5b2e428cb56e

Download Submit