wannacry | 65ffed1aa8fe44b4261f214de32f74e853d43d1b9ca425182ae0193ea5d29a9d

General

Target

2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Size

5.0MB
MD5

3c605f2e9af22601b6dec4daa2c95fc0
SHA1

54fa86b01803db3cbe588a5f3be19773256fe518
SHA256

65ffed1aa8fe44b4261f214de32f74e853d43d1b9ca425182ae0193ea5d29a9d
SHA512

e96217a27b25e534f733db84098644fa736a93d54de72a1d76a73f29960be77ac657f7989b4b8bdd40437b5f9072070e518f9487ba78fe4510ec68c361b1ce69
SSDEEP

6144:eE9l9ynRIYVTH5DgSgNajldktM0XXrO2/HJKyrYev3AiiVjAqZfAgbJ3iqMgAyY:e1bLgmlu//dhAvVLJAmd3A

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3229) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
4964	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3968	4964	WerFault.exe	90
4888	4964	WerFault.exe	90

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 4964	4856	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe	90
PID 4856 wrote to memory of 4964	4856	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe	90
PID 4856 wrote to memory of 4964	4856	2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe	90

C:\Users\Admin\AppData\Local\Temp\2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4856
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:4964
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 216
    3⤵
    - Program crash
    PID:3968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 260
    3⤵
    - Program crash
    PID:4888

C:\Users\Admin\AppData\Local\Temp\2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-07-23_3c605f2e9af22601b6dec4daa2c95fc0_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4964 -ip 4964
1⤵
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4964 -ip 4964
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
250ff99090260532ff0acf9da52e8602

SHA1
f51193260ef8396caf576c432ddaece649928a6b

SHA256
faeebe09f45e15faf27a262ef3780feed5b4c3e885cad37742635fd490d74109

SHA512
be5fefd2744a2277b6ac1a24899e6112775e0e48fd7d7868032a7984bb84cbafdb9e628682e21650a5521ba1168ca3686079842b83e2a946f41b47e8dae2b475

Download Submit

Analysis

Sharing