wannacry | 1c7f69530d4986ede246d01254cc1435c1a7e183c09a7f73a57c103fec7b9857

Analysis

max time kernel
158s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2023 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe
Size

5.0MB
MD5

e421a1413a11f5750aa178d9945d4158
SHA1

ae081a93e399217ffca63e678715f7c6766cb29b
SHA256

1c7f69530d4986ede246d01254cc1435c1a7e183c09a7f73a57c103fec7b9857
SHA512

6b9a5be4ca97e91cbb11a5482085423269db43fe0c980a1508af5853979f936ec866c07f5bf11c556f0de61f348af56cb1e2389871f426d9fc6ebf32844471bb
SSDEEP

49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdh:yDqPoBhz1aRxcSUDk36SAEdh

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3153) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Executes dropped EXE 1 IoCs

pid	Process
2768	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe"
1⤵
- Drops file in Windows directory
PID:1212
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2768

C:\Users\Admin\AppData\Local\Temp\2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2023-05-01_e421a1413a11f5750aa178d9945d4158_wannacry.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:1928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5abe0aa95b8bd2c4e72cefb4fa309e6f

SHA1
a3965c6add1e7d436c24d74189692163212345c9

SHA256
e5bc13c336b5f705259aa6495243ad7016866864238b2fca10fa6af8db1cf1ea

SHA512
dbb2edebf9fd5773e318fd56e586b441e8cb31a4f02a94407da474ec767c40d8932094962e637bfd8150efa0b19ad1cc14d03a64d59d4766d607e1ffabe76aca

Download Submit