wannacry | 230858b67d4a306017342b47310c447d9eb5a02e6284b39b3603ab31b7a65966

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 11:08

Target

ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Size

3.6MB
MD5

ae21b6f5956755d9f9ac2fbc72ced294
SHA1

5ec07870be0a5c3fe1940464d8710f44f75141ee
SHA256

230858b67d4a306017342b47310c447d9eb5a02e6284b39b3603ab31b7a65966
SHA512

eb90d26a1e29d5b12bac54a09c47f630b29ec39d66b14f1fe5e191453be4fcd9e438e6b7a1b1e3378a28a1b4d7f6ff6489acfcc3c0a1cbb7cfeee456a0090b97
SSDEEP

49152:2nAQqMyoueyYXIUeUNPLiD0iC7L1JXTXeVAMgBt3:yDq6TD31Nhj3

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2699) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2072 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 1 IoCs

Processes:

ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe

description ioc process

File created C:\WINDOWS\tasksche.exe ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe

pid	process
2072	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
PID:968

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe -m security
1⤵
- Modifies data under HKEY_USERS
PID:1088

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
46685152460e8e36f651662b907c1f38

SHA1
ece550eb7c419fda0b990b4c7fdb851af37e6479

SHA256
1b55ca664559e0aeb8fd1a40a3edfccd2a93a1d2edbf31cbeeb9a8d5b00f20da

SHA512
ca935d204afb041d392aef91ee1f5cf481b005c4e7dc6a6accbb2db7a61183e017d3f870641ca74c769dc2467f065e57eb7ed534cabde0d5c0b6863b25ffb441

Download Submit