wannacry | 805bc4fd54475d93b3811aeb32f2c761f46d52168507f3a0688d231ea117915e

General

Target

2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Size

2.2MB
MD5

211d3c5f37a5b13a27dc0ccfe5a41168
SHA1

6dad34d736943e645845c21a14666337da5fc6ce
SHA256

805bc4fd54475d93b3811aeb32f2c761f46d52168507f3a0688d231ea117915e
SHA512

2886b97c9a25cdbe443f49944fe50453742592fc501395221c4b4f5feeebe4f5b1df92de2fc8b91df67b84377fea3b428168c2a0a3d04e2d2a64efa9bf16e87b
SSDEEP

12288:e1bLgmluCti62gaIMu7LocQhfYNvrTcbckPU82900Ve7zw+K+DHeQYSUjEXF:QbLguriXd5cQdIvrYbcMNgef0QeQj

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (1520) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 4 IoCs

pid	Process
4828	tasksche.exe
4016	tasksche.exe
3940	tasksche.exe
4492	tasksche.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
File created	C:\WINDOWS\tasksche.exe	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2568	4828	WerFault.exe	84
3452	4016	WerFault.exe	99
2760	3940	WerFault.exe	104
4704	4492	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasksche.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2780138426-956448432-1440988935-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4584	OpenWith.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 4828	5000	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	84
PID 5000 wrote to memory of 4828	5000	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	84
PID 5000 wrote to memory of 4828	5000	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	84
PID 232 wrote to memory of 4016	232	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	99
PID 232 wrote to memory of 4016	232	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	99
PID 232 wrote to memory of 4016	232	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	99
PID 4112 wrote to memory of 3940	4112	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	104
PID 4112 wrote to memory of 3940	4112	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	104
PID 4112 wrote to memory of 3940	4112	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	104
PID 1260 wrote to memory of 4492	1260	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	108
PID 1260 wrote to memory of 4492	1260	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	108
PID 1260 wrote to memory of 4492	1260	2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5000
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 604
    3⤵
    - Program crash
    PID:2568

C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe -m security
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4828 -ip 4828
1⤵
PID:4400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2012

C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:232
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 520
    3⤵
    - Program crash
    PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4016 -ip 4016
1⤵
PID:1284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4584

C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4112
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3940
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 600
    3⤵
    - Program crash
    PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3940 -ip 3940
1⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-03_211d3c5f37a5b13a27dc0ccfe5a41168_wannacry.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1260
- C:\WINDOWS\tasksche.exe
  C:\WINDOWS\tasksche.exe /i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 600
    3⤵
    - Program crash
    PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 232 -p 4492 -ip 4492
1⤵
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe

Filesize
2.0MB

MD5
81eae535f1bd00964645080809077b55

SHA1
9f3e1329142afb5ef9ba9e85b800876ed630eb30

SHA256
cc63f36dc17a0a98aa80e296f467cda6a1e0771e8d1b224efe524b532e7bc3dc

SHA512
d53e2095b46f65cbd55a85f1b594dcdba95188156e322340bd39235369f20536bc857f8f81b1e9c8d7321f1ba991d798ead95b067b0547e6ed41cdccd8bef704

Download Submit

Resubmissions

Analysis

Sharing