wannacry | 1df589371260c5c63e486ad3eaacab4776c9a04871d61f3aef8b14f5708fef1d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 16:06

Target

67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe
Size

3.6MB
MD5

67d6630b1c9a58743d02026a9dd26a05
SHA1

8f9045f02bcfd64c3c261e5b6368a0ffec913789
SHA256

1df589371260c5c63e486ad3eaacab4776c9a04871d61f3aef8b14f5708fef1d
SHA512

f0d4c19c487a78074e9d6b6ec8a03d9ba8b49952968bddad21f3e770db1d9f5fffbd4c75e9547212be14fb5ea5d31d06218afc10665e7b358e1ace87aad41a6c
SSDEEP

49152:2nAQqMSPbcBVpPAMEcaEau3R8yAH1plAH:yDqPoBPP593R8yAVp2H

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3290) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

3268 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 1 IoCs

Processes:

67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe

pid	process
3268	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:1384

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:3268

C:\Users\Admin\AppData\Local\Temp\67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\67d6630b1c9a58743d02026a9dd26a05_JaffaCakes118.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
1⤵
PID:4268

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
96d947b6ef830868e8bad9343713fcc4

SHA1
6612eb3c1ec1999f2c8608105821020f94988258

SHA256
47d1e1f91f6d63cd2720ec17b4166c2fe036a5a999c1c6e317cf0144f1372fed

SHA512
a9107dae7ad760f4a526f6f8ca0c67c7316dda6864ac8690f4996ab0d4ef94974f292c18d093d2d5dfc7f711d541e5d53acca1cb05ac6d9fb31dc0b698310d03

Download Submit