wannacry | f2268c7d15cd4e9b0849786eaaf260e08439bf25cd77c782c2e94ea6f76ceffa

General

Target

2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Size

3.6MB
MD5

dd2a915faceebbdcf279a3e42f40b1c2
SHA1

3bf55cb4f2b19766d8e745d807835c96c4794ecd
SHA256

f2268c7d15cd4e9b0849786eaaf260e08439bf25cd77c782c2e94ea6f76ceffa
SHA512

6a9c29ec2d5480d4811471f942c9aa1c51c92d47bd629d72e0567fc49642798e7846266146698ffb7931578080fe91de9b9d7861d972b3487a2e01524e6f081c
SSDEEP

98304:yDqvoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:yDqve1Cxcxk3ZAEUadzR8yc4HI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3321) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2756 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2756	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe

Drops file in Windows directory 1 IoCs

Processes:

2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E411C6D7-0E75-47A3-8D24-0E2B518A82CB}\WpadDecisionTime = 80371dc9dd2fda01	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-cb-92-a5-59	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E411C6D7-0E75-47A3-8D24-0E2B518A82CB}\6e-ce-cb-92-a5-59	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-cb-92-a5-59\WpadDecisionReason = "1"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-cb-92-a5-59\WpadDecisionTime = 80371dc9dd2fda01	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E411C6D7-0E75-47A3-8D24-0E2B518A82CB}\WpadNetworkName = "Network 3"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E411C6D7-0E75-47A3-8D24-0E2B518A82CB}	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E411C6D7-0E75-47A3-8D24-0E2B518A82CB}\WpadDecisionReason = "1"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E411C6D7-0E75-47A3-8D24-0E2B518A82CB}\WpadDecision = "0"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-ce-cb-92-a5-59\WpadDecision = "0"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe"
1⤵
- Drops file in Windows directory
PID:2444

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2756

C:\Users\Admin\AppData\Local\Temp\2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2023-12-11_dd2a915faceebbdcf279a3e42f40b1c2_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
bb33acd999ee8ac3fa1fd28d502c1774

SHA1
40027b17b1cd7863863247c53eb04e5dde3ae7fd

SHA256
20f5cd1490db096f2e581ee5a219a8b4b832a615b0729432ad0126e79159ae3b

SHA512
9f1ccb7236aae93327e3683cf2e987f30089e9575412c4d4f1ac5afe0c24fd6a2c0eff36c902bcfdde0ada1518ed31939f21b4e42a6072dedf548dba0877741e

Download Submit

Analysis

Sharing