wannacry | 7587e15416957883b390afba98fedc4b4ff4ba7d111d9f03365b6a09b86d5d5c

General

Target

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
Size

3.6MB
MD5

d724d8cc6420f06e8a48752f0da11c66
SHA1

3b669778698972c402f7c149fc844d0ddb3a00e8
SHA256

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd
SHA512

d771d74894e72402bbd016787fb102053678424205644bceec17ee3e7598e3f4aeb59b0f3272b5dbe1d26289f659024520653f57fc1bfe18054ffae4f188aef9
SSDEEP

98304:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:Z8qPe1Cxcxk3ZAEUadzR8yc4HI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

4252 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 1 IoCs

Processes:

07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe

pid	process
4252	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings OpenWith.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

4796 EXCEL.EXE
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

EXCEL.EXEOpenWith.exe

pid process

4796 EXCEL.EXE
4796 EXCEL.EXE
4796 EXCEL.EXE
4796 EXCEL.EXE
4796 EXCEL.EXE
4796 EXCEL.EXE
4796 EXCEL.EXE
4796 EXCEL.EXE
4796 EXCEL.EXE
3432 OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	OpenWith.exe

pid	process
4796	EXCEL.EXE

pid	process
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
4796	EXCEL.EXE
3432	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
"C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe"
1⤵
- Drops file in Windows directory
PID:2144

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:4252

C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe
C:\Users\Admin\AppData\Local\Temp\07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd.exe -m security
1⤵
PID:752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:2444

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\MergeComplete.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/4796-3-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-6-0x00007FF816A4D000-0x00007FF816A4E000-memory.dmp

Filesize
4KB

Download
memory/4796-5-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-4-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-8-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-7-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-11-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-14-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-15-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-13-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-17-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-16-0x00007FF7D47E0000-0x00007FF7D47F0000-memory.dmp

Filesize
64KB

Download
memory/4796-18-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-21-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-20-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-19-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-12-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-10-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-9-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-22-0x00007FF7D47E0000-0x00007FF7D47F0000-memory.dmp

Filesize
64KB

Download
memory/4796-24-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-25-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-23-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-35-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download
memory/4796-49-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-52-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-51-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-50-0x00007FF7D6A30000-0x00007FF7D6A40000-memory.dmp

Filesize
64KB

Download
memory/4796-53-0x00007FF8169B0000-0x00007FF816BA5000-memory.dmp

Filesize
2.0MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads