wannacry | 30f454423dc927bcf589a2fc7922eee9917bab403e1c7a2ac31904c6f003ec5e

General

Target

e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Size

6.4MB
MD5

1d82912d3e95cc2f66d43f61e0be37b1
SHA1

fbd822032c4a40ecc3582278eb1f2e7b7dcd884e
SHA256

e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3
SHA512

5830f5c5c5e878eb8c07ffea1d1b4e69271c0e1f22a68979ea38cdd956bac1b4bf82b6f4dd976de80a9fbf5956a7fd546e917b8628c72b49a0f184538a20ff38
SSDEEP

98304:KuqPoBhz1aRxcSUDk36SAEdhvxW1A593R8yAVp2HI:KuqPe1Cxcxk3ZAEUizR8yc4HI

Score

10^/10

wannacry ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Executes dropped EXE 1 IoCs

pid	Process
1776	tasksche.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDC3B54-DE1F-4FB5-9E25-EB67D463A405}\WpadDecisionTime = 80a568552382d901	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDC3B54-DE1F-4FB5-9E25-EB67D463A405}\WpadDecision = "0"	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-fa-81-33-76-28	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-fa-81-33-76-28\WpadDecisionReason = "1"	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-fa-81-33-76-28\WpadDecision = "0"	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDC3B54-DE1F-4FB5-9E25-EB67D463A405}	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDC3B54-DE1F-4FB5-9E25-EB67D463A405}\WpadDecisionReason = "1"	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDC3B54-DE1F-4FB5-9E25-EB67D463A405}\72-fa-81-33-76-28	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FCDC3B54-DE1F-4FB5-9E25-EB67D463A405}\WpadNetworkName = "Network 3"	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-fa-81-33-76-28\WpadDecisionTime = 80a568552382d901	e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe

C:\Users\Admin\AppData\Local\Temp\e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
"C:\Users\Admin\AppData\Local\Temp\e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe"
1⤵
- Drops file in Windows directory
PID:1100
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:1776

C:\Users\Admin\AppData\Local\Temp\e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe
C:\Users\Admin\AppData\Local\Temp\e672965e0783643633efb6dab2d569add812e53af997cf48bd5d788e53de55d3.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
806288ac8e64c5e9a98f662565dd7f47

SHA1
7103e1cb1c5b0179179cb21a4baa600cb1a8602e

SHA256
ca703ae8f33a5870e480cb139b6942fb80843563ba6441efbe2b84bb218bf162

SHA512
dd2a7e660972f07a8619d1696221f5dd53d2befc961703a81fc087f46903abb5828a54b0f22330c7e879d16fdab714cd3581fa4390c90fa50f77d4f1ce3b3e00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads