wannacry | d725d718d3da4e96b78c5b1cdfa78c7216b9da09a86e2cfeb1db999fa7fdb15c

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 08:51

Target

a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
Size

3.6MB
MD5

a8d171d612fecdd8c37170d839e99718
SHA1

3399123ce30203c83b1aae3f4bb474ab6581effb
SHA256

d725d718d3da4e96b78c5b1cdfa78c7216b9da09a86e2cfeb1db999fa7fdb15c
SHA512

b19487e74b1eb12bc3152396d692d51d23b031769d295bc2f573bacee99dd1020d13338df1a7d3144a49545d6933b517114875efe15ac13bb0dc683ac28badbe
SSDEEP

49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:XDqPoBhz1aRxcSUDk36SA

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2685) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

1592 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 1 IoCs

Processes:

a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe

description ioc process

File created C:\WINDOWS\tasksche.exe a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe

pid	process
1592	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:2372

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:1592

C:\Users\Admin\AppData\Local\Temp\a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:1336

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
39f3bd9b3228bef7dde5b287a0a3e852

SHA1
d93a73f21e3a465617239d092fa1e15b0341c20a

SHA256
8f9245d26ffa7f87411575a8e60f021691e1a1fbe6ea584f685d365276995baf

SHA512
e91383329848abd8d4470ae5454fad12bca7fb5eab217254e8863036686e18b6d389f2bb3c6f5ca7a2f3a52e951440b4c0eca18b3bf6ccd78e5a545dc1b4804d

Download Submit