Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2022 19:40
Static task
static1
Behavioral task
behavioral1
Sample
87f80f62e4d7e3cdfa712fc109bc79a4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
87f80f62e4d7e3cdfa712fc109bc79a4.exe
Resource
win10v2004-20220901-en
General
-
Target
87f80f62e4d7e3cdfa712fc109bc79a4.exe
-
Size
3.6MB
-
MD5
87f80f62e4d7e3cdfa712fc109bc79a4
-
SHA1
03abae660bf37cfbffae6d0e34c896fe3d5557d6
-
SHA256
08986944b87cbbb7245a342f846dfb03534e749ed9ffd453babd4f9f7682f066
-
SHA512
1da0fe361dcc17177d680e6922dcd26939a4c3df30ccb75310ed7be94e9c8172728949f5e489eeef583065e3fe7724317a71c527b436576b0527a0bd9e6566a6
-
SSDEEP
6144:GE9l9yNqIYVTH5DgSg8ajldktM0XXrs2Qh:GwbLgPluxQh
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 4248 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
87f80f62e4d7e3cdfa712fc109bc79a4.exedescription ioc process File created C:\WINDOWS\tasksche.exe 87f80f62e4d7e3cdfa712fc109bc79a4.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3468 4248 WerFault.exe tasksche.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
87f80f62e4d7e3cdfa712fc109bc79a4.exedescription pid process target process PID 2076 wrote to memory of 4248 2076 87f80f62e4d7e3cdfa712fc109bc79a4.exe tasksche.exe PID 2076 wrote to memory of 4248 2076 87f80f62e4d7e3cdfa712fc109bc79a4.exe tasksche.exe PID 2076 wrote to memory of 4248 2076 87f80f62e4d7e3cdfa712fc109bc79a4.exe tasksche.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87f80f62e4d7e3cdfa712fc109bc79a4.exe"C:\Users\Admin\AppData\Local\Temp\87f80f62e4d7e3cdfa712fc109bc79a4.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 2203⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\87f80f62e4d7e3cdfa712fc109bc79a4.exeC:\Users\Admin\AppData\Local\Temp\87f80f62e4d7e3cdfa712fc109bc79a4.exe -m security1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4248 -ip 42481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\tasksche.exeFilesize
3.4MB
MD5f78f0687753655dfa05483afeed87e95
SHA14a9821ef8b85c2c61168e9a143a4ea43dda15e1c
SHA256ff24805aaa26c840eae9996c8ac7bcb7050b55a9f61436be71e9cf8e21634a00
SHA51223516197d198fb04c5ad01867f6eaaf447002ba3a2a21db850fae4cca242f7da4e64cfa295b05008c5aef8863b5c5aa558bd324c6e26bb2a9836b23bdb87348a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f78f0687753655dfa05483afeed87e95
SHA14a9821ef8b85c2c61168e9a143a4ea43dda15e1c
SHA256ff24805aaa26c840eae9996c8ac7bcb7050b55a9f61436be71e9cf8e21634a00
SHA51223516197d198fb04c5ad01867f6eaaf447002ba3a2a21db850fae4cca242f7da4e64cfa295b05008c5aef8863b5c5aa558bd324c6e26bb2a9836b23bdb87348a
-
memory/4248-132-0x0000000000000000-mapping.dmp