wannacry | 260dd2a52674913188e9ab661bec987c7f421fcb028aeacd6c20f7f2e2acaa30

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 04:22

Target

15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
Size

3.6MB
MD5

15f52fa392a8b4b15b338aa77842624d
SHA1

918613244d6e0bd95c1f588b9797e1c40f69bcbf
SHA256

260dd2a52674913188e9ab661bec987c7f421fcb028aeacd6c20f7f2e2acaa30
SHA512

351ca5f6693c06087b3fac40fb96fdbb426dc9c552b0c3bfb9ab5c5d10c85099e9638a3cde7f7f12cdd25803610724751c4620753431f56b54e73194c1f08e4c
SSDEEP

49152:2nAQqMSPbcBVQej/1IiRdhnvxJM0H9PAMEcaEau3R8yAH1plAHI:yDqPoBhz1ZdhvxWa9P593R8yAVp2HI

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2472 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 1 IoCs

Processes:

15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe

pid	process
2472	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:1120

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2472

C:\Users\Admin\AppData\Local\Temp\15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:3160

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9f7d4b1b8084f3d18e7975638bfcfad8

SHA1
92256ba34c7ed31735e8bf6b1fbd66fa07302ed1

SHA256
71f0574932c7770f68a3e3968dbad0e75d7fad8f4f52fe2541485e9c70febcbb

SHA512
4fbb4c1aca5340eaf16c3e95114d2b697966fd4f18d9c1d06c0b13180421863d6e5eaee5f0b23025b66c46da2da7f52a723528b5faf4a9316cd2da6b08bb441a

Download Submit