wannacry | 86f849585db5b4c08fc457b7118e2f22673e2a70157e8695fa6c5b192bb02a17

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 09:46

Target

2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe
Size

3.6MB
MD5

b3c6bb2b504e6096872b84ec0ff16a4a
SHA1

e1d6d1b8cb7a0b35f4070254d3b548cbb4eea8da
SHA256

86f849585db5b4c08fc457b7118e2f22673e2a70157e8695fa6c5b192bb02a17
SHA512

d5dc8ee1c6ecc56978b9b634562ae7c04c762cb7db9e3fe5e7a489f5d12667f911f6935d475ca0bc602b6edaebcabaeb4db31aec2ad817473d75aadb3a36f2ae
SSDEEP

49152:2nAQqMSPbcBVaNRx+TSqTdX1HkQo6SAA:yDqPoBiRxcSUDk36SA

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2695) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2712 tasksche.exe
Drops file in Windows directory 1 IoCs

Processes:

2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe

pid	process
2712	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe"
1⤵
- Drops file in Windows directory
PID:4156

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2712

C:\Users\Admin\AppData\Local\Temp\2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-14_b3c6bb2b504e6096872b84ec0ff16a4a_wannacry.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:4744

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7b59aa7012e4819420094b0ab860770d

SHA1
d94009a1448c643d0dbd65fd5c85b67de938cf04

SHA256
c36000c7a12259bf274258e383ccfb01b084716bf8e02a7404864cda5ed8d938

SHA512
10fb4429a454e2a16f2ba3be660eefc0cf3dd064ac191327534ef7366ea7d9e2f0da44de83ac0bf46af5442ce1c1409a005f8f8c4d3512325b2e8590b8a7e015

Download Submit