wannacry | 20d7176a3b709092ac33b2754a008a565da9a9b5e1244274684d01fdf2ac13b7

General

Target

00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Size

3.6MB
MD5

00622c537d8017d912ff98d005c89143
SHA1

c7d7047b0cd7728d8833f31f2740e948b91291c7
SHA256

20d7176a3b709092ac33b2754a008a565da9a9b5e1244274684d01fdf2ac13b7
SHA512

40190e6b589426894cee6f9532d19f6a58a3f25b9cccc11ef597de5011c6cec7e6a381fef8a153289cde45525f8349bafc4c0e82e0dee5e47dad25365d4894a2
SSDEEP

98304:XDqPoBkaRxcSUZk36SAEdhvxWa9P593R8yAVp2HI:XDqPZCxc7k3ZAEUadzR8yc4HI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2644 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2644	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

00622c537d8017d912ff98d005c89143_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

00622c537d8017d912ff98d005c89143_JaffaCakes118.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 00622c537d8017d912ff98d005c89143_JaffaCakes118.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

00622c537d8017d912ff98d005c89143_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\6e-24-79-be-18-c1	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecisionReason = "1"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecisionTime = 30af2578b497da01	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecision = "0"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadNetworkName = "Network 3"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ec000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecisionTime = 30af2578b497da01	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecision = "0"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecisionReason = "1"	00622c537d8017d912ff98d005c89143_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00622c537d8017d912ff98d005c89143_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:2876

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Temp\00622c537d8017d912ff98d005c89143_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\00622c537d8017d912ff98d005c89143_JaffaCakes118.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
72469510fc7cb94cd73e9262e6cb93c9

SHA1
c05102ca20e4f5203fffe86fa02e9be2846a92b2

SHA256
494e145ae96fd4c7cbab6f0a99f37b7745a86dd46286de907edf5054676ba94d

SHA512
9142dae472885af2e3c42e8c676a00838beb38cef8bb02032d88fd02245057e0d9d37ff76cf60a78b2e8f385a314df94c12e79f64a65ec2cd13cb908466f4026

Download Submit

Analysis

Sharing