wannacry | c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6

Analysis

max time kernel
152s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 08:11

Target

c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe
Size

5.0MB
MD5

14baa82b3b48237395b7f0b43927229f
SHA1

99b382b9b239db3a3a0cc34ade673d6071b773d8
SHA256

c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6
SHA512

2819aa2a242abd57db7580e6f03098f0555ea2410be65dca0780fc9dc20f2989d43670905fd58458e99018ac12dc4fb773e5e586b5da960c25fb8bc80b3627ca
SSDEEP

98304:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P5N:yDqPe1Cxcxk3ZAEUadT

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1963) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

4564 tasksche.exe
Drops file in Windows directory 1 IoCs

Processes:

c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe

description ioc process

File created C:\WINDOWS\tasksche.exe c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe

pid	process
4564	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe

C:\Users\Admin\AppData\Local\Temp\c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe
"C:\Users\Admin\AppData\Local\Temp\c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe"
1⤵
- Drops file in Windows directory
PID:1432

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Local\Temp\c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe
C:\Users\Admin\AppData\Local\Temp\c627a3087882305a308806c37c86758102f1a0f670abd8318d9988d4ec34aca6.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:1260

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
d18bd9b7efe4345dea8e9d6404077248

SHA1
e8122aff4404b3005b41e68bca03be3d0aac73c6

SHA256
68e73d468086e353fcecff73b663f704e6f6144a7c36c291d6573757633073f8

SHA512
ed6c8d86609f0acd694ea976fe253be1d36f0b8097df9e4d5f62fc3b2c5f9a3640f086226f39b9fc7b333c2cc7db3ffd765fd55b057c567758f0e7f70b2ea38f

Download Submit