wannacry | 441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Size

3.6MB
MD5

ef29f0f2a7b98ea19767b8ae66d1ffb8
SHA1

093b3916ee1bea0442278d0aa87be5703207e627
SHA256

b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c
SHA512

9ab431d19633ed54dc1cc8bc4e511cabcfcba56ee0ff30197f5bd7aca07b33f2b605ab17f07fba066f5c910903f27bb04f4eb04cbed539af783564bbeba2c80e
SSDEEP

98304:yDqPoBhhRxcSUDk36SAEdhvxWa9P59Uc/Jf:yDqPSxcxk3ZAEUadv1

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3259) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2684 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2684	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

Drops file in Windows directory 1 IoCs

Processes:

b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

description ioc process

File created C:\WINDOWS\tasksche.exe b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\WpadDecision = "0"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0142000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\WpadDecisionTime = a0b06582b477da01	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\2a-2f-02-f8-be-dd	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\WpadNetworkName = "Network 3"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2f-02-f8-be-dd	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\WpadDecisionReason = "1"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2f-02-f8-be-dd\WpadDecisionReason = "1"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2f-02-f8-be-dd\WpadDecisionTime = a0b06582b477da01	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2f-02-f8-be-dd\WpadDecision = "0"	b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe

C:\Users\Admin\AppData\Local\Temp\b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
"C:\Users\Admin\AppData\Local\Temp\b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe"
1⤵
- Drops file in Windows directory
PID:2552

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2684

C:\Users\Admin\AppData\Local\Temp\b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe
C:\Users\Admin\AppData\Local\Temp\b764629e1f43851daf984c9372422b65ddceae28f83d6211873f4c8f8672c41c.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
2.6MB

MD5
4d2da4ff791ea108284e3dfb228f5f18

SHA1
10ebf8a7a69ed09292e7062840398c79fc8898f2

SHA256
c5e3bc70fc27bd92fb2264ef45822098bafe19a1d3a9f7effeb174c33253a3f6

SHA512
1387894dc45d6cdda5f0ad2eb8df506dd9f696ce966f40962ae03e0fe183cd70db7d7513aadc4b1709206e6f9890bc7be457f5e287689977cb25f4765b533183

Download Submit