wannacry | e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde

General

Target

e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Size

3.6MB
MD5

2c9978e32806c6dbd072e3c096faab9b
SHA1

b8b57494825db6a0296c140ffc267478ea9e232f
SHA256

e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde
SHA512

8a873002d4fa315ba8b1de3c0afa1cf346a22e1e8edd220ae2487560b3887df97a54a5b227168ca2a2f44cad87af312ccd7c1484fd137537859a34ff9378fbd8
SSDEEP

98304:haPoBhz1aV6SAEdhvxWa9P593R8yAVp2HI:haPe1eZAEUadzR8yc4HI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\97LVKO8T.txt	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\97LVKO8T.txt	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C60A9E4-ABDB-4D9B-A588-EA8943CBA7F3}\ce-98-33-14-f9-67	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-98-33-14-f9-67\WpadDecisionTime = e024d14b18e1d801	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-98-33-14-f9-67\WpadDecision = "0"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C60A9E4-ABDB-4D9B-A588-EA8943CBA7F3}\WpadDecisionReason = "1"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C60A9E4-ABDB-4D9B-A588-EA8943CBA7F3}\WpadDecision = "0"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C60A9E4-ABDB-4D9B-A588-EA8943CBA7F3}\WpadNetworkName = "Network 3"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-98-33-14-f9-67\WpadDecisionReason = "1"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C60A9E4-ABDB-4D9B-A588-EA8943CBA7F3}	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-98-33-14-f9-67	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C60A9E4-ABDB-4D9B-A588-EA8943CBA7F3}\WpadDecisionTime = e024d14b18e1d801	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe

C:\Users\Admin\AppData\Local\Temp\e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
"C:\Users\Admin\AppData\Local\Temp\e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe"
1⤵
- Drops file in Windows directory
PID:1476

C:\Users\Admin\AppData\Local\Temp\e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe
C:\Users\Admin\AppData\Local\Temp\e0375f4024f08ad2fd6e451a4ba6f70f29bdf1d1a3767e92fd325cbde1b28dde.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1476-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing