wannacry | efa7b9b0cfd862cc6bca151d63cca7e5fd0da0d39ddbc327c6c2b340eb4dbe06

General

Target

437bcfcc27e4ba1116f0159dde871bdb.exe
Size

5.0MB
MD5

437bcfcc27e4ba1116f0159dde871bdb
SHA1

6e65905373c3ea527749fc52c219dfc45c76a5cb
SHA256

efa7b9b0cfd862cc6bca151d63cca7e5fd0da0d39ddbc327c6c2b340eb4dbe06
SHA512

3104ab347a641a8489c51989f925a0a0d008801e65ee2dae52c95ef03ad76323342dc574ab50fb51f3263fbdb0d25e9d6b4f5e4ff79c53144a6e879fc0e50211
SSDEEP

49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:XDqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1259) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1296 tasksche.exe

pid	process
1296	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

437bcfcc27e4ba1116f0159dde871bdb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	437bcfcc27e4ba1116f0159dde871bdb.exe

Drops file in Windows directory 1 IoCs

Processes:

437bcfcc27e4ba1116f0159dde871bdb.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 437bcfcc27e4ba1116f0159dde871bdb.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	437bcfcc27e4ba1116f0159dde871bdb.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

437bcfcc27e4ba1116f0159dde871bdb.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0091000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadDecisionTime = 2019d1cc21cdd801	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c\WpadDecisionTime = 2019d1cc21cdd801	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	437bcfcc27e4ba1116f0159dde871bdb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadNetworkName = "Network 3"	437bcfcc27e4ba1116f0159dde871bdb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadDecision = "0"	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	437bcfcc27e4ba1116f0159dde871bdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	437bcfcc27e4ba1116f0159dde871bdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\WpadDecisionReason = "1"	437bcfcc27e4ba1116f0159dde871bdb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{44705F7C-6AA8-4ED6-A2F5-774BD2740C95}\d6-dd-0f-5e-73-0c	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c\WpadDecisionReason = "1"	437bcfcc27e4ba1116f0159dde871bdb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	437bcfcc27e4ba1116f0159dde871bdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	437bcfcc27e4ba1116f0159dde871bdb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	437bcfcc27e4ba1116f0159dde871bdb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-dd-0f-5e-73-0c\WpadDecision = "0"	437bcfcc27e4ba1116f0159dde871bdb.exe

C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe
"C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe"
1⤵
- Drops file in Windows directory
PID:856

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1296

C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe
C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
1cf3eb065ddbecfb5bf82c3a7f485240

SHA1
26859d3823d1313ffe5fcbabb16cc95be231fe76

SHA256
a384045005889777a0d68368279f27e31e2e07996ca547ab90290cdf7f87734c

SHA512
9e09527b0ea0df9f5369bf4a435021c62131953fe109e0865f87f64f8340480f5df7c127f0b262f61e045c767f970519848881f32f1b558f6135dcc658f321a5

Download Submit
memory/856-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing