wannacry | 0c0dc95da63419bf6e5cb477d146316d91ee22a1f513c3a96a3d2b979f2777aa

General

Target

2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Size

5.0MB
MD5

ad5eacec25a49a8eafe1dec194f35782
SHA1

34d019662786284bc0b9beb9731aea919988f6c1
SHA256

0c0dc95da63419bf6e5cb477d146316d91ee22a1f513c3a96a3d2b979f2777aa
SHA512

951d64c27b04bd9bb26cea59401dbdf45a582bae0f819b0fd4a02eae0de850960633e29d4ba9cd3daaa52b0a94602f3e3c69f1c82449d79b4845d6476e952c74
SSDEEP

49152:QnVENPbcBVQej/1INRx+TSqTdX1HkQo6SAA:QVOoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3065) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2840	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\1K267EHT.txt	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\1K267EHT.txt	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\8KTEJZGG.txt	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\8KTEJZGG.txt	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	2840	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{788A0A1D-7D7F-4D43-AE7F-1A1C41184F5A}\WpadDecisionTime = 40a9ac660e68db01	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{788A0A1D-7D7F-4D43-AE7F-1A1C41184F5A}\WpadNetworkName = "Network 3"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-0f-8c-df-8a-7f	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{788A0A1D-7D7F-4D43-AE7F-1A1C41184F5A}	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{788A0A1D-7D7F-4D43-AE7F-1A1C41184F5A}\WpadDecision = "0"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-0f-8c-df-8a-7f\WpadDecision = "0"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{788A0A1D-7D7F-4D43-AE7F-1A1C41184F5A}\de-0f-8c-df-8a-7f	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-0f-8c-df-8a-7f\WpadDecisionTime = 40a9ac660e68db01	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{788A0A1D-7D7F-4D43-AE7F-1A1C41184F5A}\WpadDecisionReason = "1"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-0f-8c-df-8a-7f\WpadDecisionReason = "1"	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2840	1628	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe	33
PID 1628 wrote to memory of 2840	1628	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe	33
PID 1628 wrote to memory of 2840	1628	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe	33
PID 1628 wrote to memory of 2840	1628	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe	33
PID 1628 wrote to memory of 2840	1628	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe	33
PID 1628 wrote to memory of 2840	1628	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe	33
PID 1628 wrote to memory of 2840	1628	2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe	33
PID 2840 wrote to memory of 2768	2840	tasksche.exe	34
PID 2840 wrote to memory of 2768	2840	tasksche.exe	34
PID 2840 wrote to memory of 2768	2840	tasksche.exe	34
PID 2840 wrote to memory of 2768	2840	tasksche.exe	34
PID 2840 wrote to memory of 2768	2840	tasksche.exe	34
PID 2840 wrote to memory of 2768	2840	tasksche.exe	34
PID 2840 wrote to memory of 2768	2840	tasksche.exe	34

C:\Users\Admin\AppData\Local\Temp\2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 224
    3⤵
    - Program crash
    PID:2768

C:\Users\Admin\AppData\Local\Temp\2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-01-16_ad5eacec25a49a8eafe1dec194f35782_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\tasksche.exe

Filesize
2.0MB

MD5
41c0e22d28973f312de789c027e61d0c

SHA1
193f7413961324eda1f3f8cd0f6010fcb73028ec

SHA256
282afb52e37bfb69d3016e1bb99e11aa9d6d9cb7759ba02279e44eeb9f504a9b

SHA512
d4196d39077e6f7ad8e402762fad33b3ce74558fd8c34b412dda96a118bb421927cec5816c6d5728de79288dfeccba066630211043b35c16c1a165a4bec19a37

Download Submit

Analysis

Sharing