wannacry | 85f5061d48750a64b929924d147eed7b0a643b38854fac0f072e2061433e0585

General

Target

ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe
Size

3.6MB
MD5

ce9bf2f35c44c682cbc9c2a346815718
SHA1

0d979d19264f092d5bcdc322bd0a057bacdaf39d
SHA256

85f5061d48750a64b929924d147eed7b0a643b38854fac0f072e2061433e0585
SHA512

a507634bec7507e251735a924c57317daeafb5b03704d05fcf89959a63ced8df986d797ea7a2b6ab1880bde57b392f57ef3e7497db1a4fc6c2c0eb1beeaff1b7
SSDEEP

98304:XDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R0:XDqPe1Cxcxk3ZAEUadzR0

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (974) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2012	tasksche.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2344	WINWORD.EXE
2344	WINWORD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2344	WINWORD.EXE
2344	WINWORD.EXE
2344	WINWORD.EXE
2344	WINWORD.EXE
2344	WINWORD.EXE
2344	WINWORD.EXE
2344	WINWORD.EXE
2344	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5004
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2012

C:\Users\Admin\AppData\Local\Temp\ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\ce9bf2f35c44c682cbc9c2a346815718_JaffaCakes118.exe -m security
1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:340

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\EditRead.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

Query Registry

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCD2EA0.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
315B

MD5
3fdb07b5471baff15330296fadb97bda

SHA1
e22771b4cd7513c074063bc1875895411bb71a9b

SHA256
a7268fa0e8bf155362c1cc0a9b82e8d15af7f64acfa3e5021150843d43cb1bc2

SHA512
8b51db499fef6d0226e1e8e7b0c6f89c3143f8fa57a49b150ec85c59ac6d1f562639d0475011cb5827c42a341a41cfdbe86a13e860283087566bd53691c4493e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
caf8b0a9c798e89a2e667e0be77c8f3d

SHA1
46d9fbf26293ce41b4c6731175f1f69099e10002

SHA256
1a6d86d32f182147a0a4c74c3acaf2e605b1fbbcc84a84d33037713013de02bf

SHA512
dc1337d690753a2a05ea9fa320b245fdc0454065ac17b2a81cec41202406544b12b6c252b77774e8cbc39593e40d463090f4ebe0027ca137fbe22467ca4097c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
39b3f9589effae5ad2a94035963734ca

SHA1
5c52519eff24af550e2ef4f86c6f6835a7cc4f89

SHA256
e4bdf2d955991a9faadc825135e1a35c52e2238a90b77b01746de0215befe4d7

SHA512
8b3f1ada68d7e7e569116755d2945d31ce4055ed586bacf05c78491fa68509b3bcda93f688518a112ec2f5ebfb8edd7bb2e1f80f97a1218ced3a0d3cc786ddad

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
4dbea90de35d581156177c29e90e613c

SHA1
36784aa8642cee16bdf8e5d979c16f74975ff742

SHA256
390e1e514a3215a1ccb49d9cfb4fa66d0c9ad0f74511c48432187430e8032041

SHA512
276599b7e83dd35faa81d05f17dbd8e5692a2aff90a100705b3777be33b6010f428e778672a4a270a927b1286eee28212696026a42b95d8558f58f44a7d7c1d7

Download Submit
memory/2344-12-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-3-0x00007FFDB7290000-0x00007FFDB72A0000-memory.dmp

Filesize
64KB

Download
memory/2344-13-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-16-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-17-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-15-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-19-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-18-0x00007FFDB4FF0000-0x00007FFDB5000000-memory.dmp

Filesize
64KB

Download
memory/2344-14-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-9-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-10-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-20-0x00007FFDB4FF0000-0x00007FFDB5000000-memory.dmp

Filesize
64KB

Download
memory/2344-8-0x00007FFDB7290000-0x00007FFDB72A0000-memory.dmp

Filesize
64KB

Download
memory/2344-11-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-5-0x00007FFDB7290000-0x00007FFDB72A0000-memory.dmp

Filesize
64KB

Download
memory/2344-53-0x00007FFDF72A3000-0x00007FFDF72A4000-memory.dmp

Filesize
4KB

Download
memory/2344-54-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-55-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-56-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-57-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-58-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-59-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-60-0x00007FFDF7200000-0x00007FFDF7409000-memory.dmp

Filesize
2.0MB

Download
memory/2344-7-0x00007FFDB7290000-0x00007FFDB72A0000-memory.dmp

Filesize
64KB

Download
memory/2344-6-0x00007FFDB7290000-0x00007FFDB72A0000-memory.dmp

Filesize
64KB

Download
memory/2344-4-0x00007FFDF72A3000-0x00007FFDF72A4000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads