wannacry | 1c1dac9c49cddb95400342bae8b73ceac5c0c61a1b11a5e2b7e6b73b89cb40da

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-09-2022 21:30

Target

1f7927f56bb9f080efc3be1c14ecaec6.exe
Size

3.6MB
MD5

1f7927f56bb9f080efc3be1c14ecaec6
SHA1

388f8de9899ab370a45f9eb02a090364c38b22bb
SHA256

1c1dac9c49cddb95400342bae8b73ceac5c0c61a1b11a5e2b7e6b73b89cb40da
SHA512

75bd4aa1aefd5d25a4f28c33658ab06642c2f36af779759ea0dd4d5c6ba681b24e87e1549682ba9ef02e23bd49c2ad506ad28e3ccdc03957c3456cfa0e16cfe2
SSDEEP

49152:VnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9wAHI:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9BHI

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1356) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

804 tasksche.exe

pid	process
804	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

1f7927f56bb9f080efc3be1c14ecaec6.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	1f7927f56bb9f080efc3be1c14ecaec6.exe

Drops file in Windows directory 1 IoCs

Processes:

1f7927f56bb9f080efc3be1c14ecaec6.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 1f7927f56bb9f080efc3be1c14ecaec6.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	1f7927f56bb9f080efc3be1c14ecaec6.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

1f7927f56bb9f080efc3be1c14ecaec6.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	1f7927f56bb9f080efc3be1c14ecaec6.exe

C:\Users\Admin\AppData\Local\Temp\1f7927f56bb9f080efc3be1c14ecaec6.exe
"C:\Users\Admin\AppData\Local\Temp\1f7927f56bb9f080efc3be1c14ecaec6.exe"
1⤵
- Drops file in Windows directory
PID:1184

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:804

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9e628c827e5640caf07d6959f64d0618

SHA1
0799c65d5c256dbac5ee724e5300c60702155edf

SHA256
b0d21cdcf845a32d4377336a03072a344289c95211f37f7976db810e9a5d0490

SHA512
9216c226c1b6c001c74cfe50abdfd7e2f27f298e2092550404738deea670c2c4cb9df1019378a8dd80ab0ac2422fa775269ad6d9c55777ecea6826722c947f76

Download Submit
memory/1184-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download