wannacry | d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104

Analysis

max time kernel
152s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2022 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Size

3.6MB
MD5

5417d5e6a0d2c6c0537457e575ad78fe
SHA1

ca19a2c7db93dfa3324b3c5c87ff155f31c43858
SHA256

d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104
SHA512

3a75261571554f68f761afe86239da8ba3952b0f32d0bc2b564c0b7ef7f82552c2f2e9d6a831d545a22f171a9b38907fbdcfdf8f97b8917f193dd1eb24f3e05e
SSDEEP

12288:GvbLgPluCtgQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D:2bLgdrgQhfdmMSirYbcMNgef0

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3204) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe

C:\Users\Admin\AppData\Local\Temp\d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
"C:\Users\Admin\AppData\Local\Temp\d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe"
1⤵
- Drops file in Windows directory
PID:3052

C:\Users\Admin\AppData\Local\Temp\d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe
C:\Users\Admin\AppData\Local\Temp\d95b7178341763577fd36164ea2f182a9b5fbec7f1d8ca9beed46b6071e05104.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:5088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads