wannacry | 1c1dac9c49cddb95400342bae8b73ceac5c0c61a1b11a5e2b7e6b73b89cb40da

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2022 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f7927f56bb9f080efc3be1c14ecaec6.exe
Size

3.6MB
MD5

1f7927f56bb9f080efc3be1c14ecaec6
SHA1

388f8de9899ab370a45f9eb02a090364c38b22bb
SHA256

1c1dac9c49cddb95400342bae8b73ceac5c0c61a1b11a5e2b7e6b73b89cb40da
SHA512

75bd4aa1aefd5d25a4f28c33658ab06642c2f36af779759ea0dd4d5c6ba681b24e87e1549682ba9ef02e23bd49c2ad506ad28e3ccdc03957c3456cfa0e16cfe2
SSDEEP

49152:VnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9wAHI:Z8qPoBhz1aRxcSUDk36SAEdhvxWa9BHI

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

2068 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 1 IoCs

Processes:

1f7927f56bb9f080efc3be1c14ecaec6.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 1f7927f56bb9f080efc3be1c14ecaec6.exe

pid	process
2068	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	1f7927f56bb9f080efc3be1c14ecaec6.exe

C:\Users\Admin\AppData\Local\Temp\1f7927f56bb9f080efc3be1c14ecaec6.exe
"C:\Users\Admin\AppData\Local\Temp\1f7927f56bb9f080efc3be1c14ecaec6.exe"
1⤵
- Drops file in Windows directory
PID:4952

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:2068

C:\Users\Admin\AppData\Local\Temp\1f7927f56bb9f080efc3be1c14ecaec6.exe
C:\Users\Admin\AppData\Local\Temp\1f7927f56bb9f080efc3be1c14ecaec6.exe -m security
1⤵
PID:1820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
9e628c827e5640caf07d6959f64d0618

SHA1
0799c65d5c256dbac5ee724e5300c60702155edf

SHA256
b0d21cdcf845a32d4377336a03072a344289c95211f37f7976db810e9a5d0490

SHA512
9216c226c1b6c001c74cfe50abdfd7e2f27f298e2092550404738deea670c2c4cb9df1019378a8dd80ab0ac2422fa775269ad6d9c55777ecea6826722c947f76

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads