wannacry | 2f3a50c8f864eeb1522df27972d13ff7ff047cec83b12f9b5f25557797df7f48

General

Target

2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Size

5.0MB
MD5

7d0234ddd85b0f0fdf1c9df82c3f4758
SHA1

d724deae507e14cd40d4e237c693c346aa8d0df4
SHA256

2f3a50c8f864eeb1522df27972d13ff7ff047cec83b12f9b5f25557797df7f48
SHA512

ba0a79d24cd1ba4aef13f748f5d6900dcf388d5623e27f149d2675b80ecef47b9fe97be9c3f45404c0e7619ebb44fc29c77df1c15db04bfe8a15e3dc7ac30fda
SSDEEP

49152:4nFQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvREauQH:oeqPoBhz1aRxcSUDk36SAEdhvYQH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3264) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2852	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe

C:\Users\Admin\AppData\Local\Temp\2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2012
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  PID:2852

C:\Users\Admin\AppData\Local\Temp\2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2024-12-18_7d0234ddd85b0f0fdf1c9df82c3f4758_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
3cf16dd193715468af6bfa34a4c68566

SHA1
7919af5fc55f666afc5d6ec1d3b0f28a189bae41

SHA256
8e1e5a5fd2af9c46b848aee5f525796cab900cd56c3d67ec7a6f3b668aa33d86

SHA512
8517e5d8099f0b4768f96a7549345ec947402228c5c3ecf34cf57cd3e5d9fa0b19a1676bd8b3c918d27b3ae50cb260f3e2933566fa6530632da724c921bb3f53

Download Submit

Analysis

Sharing