wannacry | 5f8e1de744bccf4d649d5013fc8c5f2de42e8ca5eb99a541896e4f45844066eb

General

Target

834389b39d5f26ab08bd160f9a102ec0.exe
Size

3.6MB
MD5

834389b39d5f26ab08bd160f9a102ec0
SHA1

421afaca0623357c4ac0786ad3ad91df7428273e
SHA256

5f8e1de744bccf4d649d5013fc8c5f2de42e8ca5eb99a541896e4f45844066eb
SHA512

244fd59feca3048eac677b2c93f745bee3192d1a97efed079e7cedd716c62ae914aef405ff4e439ecab55a4f8729db7710e724898f5f9de32d3361a949450b5d
SSDEEP

12288:GvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D4OWFiUBk38p:2bLgddQhfdmMSirYbcMNgef0JR0UriUb

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1015) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1688 tasksche.exe

pid	process
1688	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

834389b39d5f26ab08bd160f9a102ec0.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	834389b39d5f26ab08bd160f9a102ec0.exe

Drops file in Windows directory 1 IoCs

Processes:

834389b39d5f26ab08bd160f9a102ec0.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 834389b39d5f26ab08bd160f9a102ec0.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	834389b39d5f26ab08bd160f9a102ec0.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

834389b39d5f26ab08bd160f9a102ec0.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	834389b39d5f26ab08bd160f9a102ec0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-b5-0c-0c-ba-7b\WpadDecision = "0"	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	834389b39d5f26ab08bd160f9a102ec0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AED597F6-057A-47AA-AF29-71E5DD934CE3}	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AED597F6-057A-47AA-AF29-71E5DD934CE3}\WpadNetworkName = "Network 2"	834389b39d5f26ab08bd160f9a102ec0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AED597F6-057A-47AA-AF29-71E5DD934CE3}\0a-b5-0c-0c-ba-7b	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-b5-0c-0c-ba-7b\WpadDecisionReason = "1"	834389b39d5f26ab08bd160f9a102ec0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	834389b39d5f26ab08bd160f9a102ec0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	834389b39d5f26ab08bd160f9a102ec0.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	834389b39d5f26ab08bd160f9a102ec0.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-b5-0c-0c-ba-7b	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-b5-0c-0c-ba-7b\WpadDecisionTime = 1006666138d8d801	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AED597F6-057A-47AA-AF29-71E5DD934CE3}\WpadDecisionReason = "1"	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AED597F6-057A-47AA-AF29-71E5DD934CE3}\WpadDecisionTime = 1006666138d8d801	834389b39d5f26ab08bd160f9a102ec0.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AED597F6-057A-47AA-AF29-71E5DD934CE3}\WpadDecision = "0"	834389b39d5f26ab08bd160f9a102ec0.exe

C:\Users\Admin\AppData\Local\Temp\834389b39d5f26ab08bd160f9a102ec0.exe
"C:\Users\Admin\AppData\Local\Temp\834389b39d5f26ab08bd160f9a102ec0.exe"
1⤵
- Drops file in Windows directory
PID:1728

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\AppData\Local\Temp\834389b39d5f26ab08bd160f9a102ec0.exe
C:\Users\Admin\AppData\Local\Temp\834389b39d5f26ab08bd160f9a102ec0.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
7adc7088044265dfa37a450adf237102

SHA1
3952ee4debef7d327f7cc1cdbdb60c0fc6dcf327

SHA256
88935dcd80704c43847491d530f89312342597dcfa0b8620e6d53de790594f96

SHA512
1761e0fcbb15432a14a49aa127c65b1f23edef7371555b10e190eb941b036f4b8692a2044cbb6fe5cc7b88b48ac6cac46e32f30cab70177da301f7403d3647ec

Download Submit
memory/1728-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing