wannacry | 08986944b87cbbb7245a342f846dfb03534e749ed9ffd453babd4f9f7682f066

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 19:40

Target

87f80f62e4d7e3cdfa712fc109bc79a4.exe
Size

3.6MB
MD5

87f80f62e4d7e3cdfa712fc109bc79a4
SHA1

03abae660bf37cfbffae6d0e34c896fe3d5557d6
SHA256

08986944b87cbbb7245a342f846dfb03534e749ed9ffd453babd4f9f7682f066
SHA512

1da0fe361dcc17177d680e6922dcd26939a4c3df30ccb75310ed7be94e9c8172728949f5e489eeef583065e3fe7724317a71c527b436576b0527a0bd9e6566a6
SSDEEP

6144:GE9l9yNqIYVTH5DgSg8ajldktM0XXrs2Qh:GwbLgPluxQh

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

tasksche.exe

pid process

4248 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 1 IoCs

Processes:

87f80f62e4d7e3cdfa712fc109bc79a4.exe

description ioc process

File created C:\WINDOWS\tasksche.exe 87f80f62e4d7e3cdfa712fc109bc79a4.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3468 4248 WerFault.exe tasksche.exe

pid	process
4248	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	87f80f62e4d7e3cdfa712fc109bc79a4.exe

pid	pid_target	process	target process
3468	4248	WerFault.exe	tasksche.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

87f80f62e4d7e3cdfa712fc109bc79a4.exe

description	pid	process	target process
PID 2076 wrote to memory of 4248	2076	87f80f62e4d7e3cdfa712fc109bc79a4.exe	tasksche.exe
PID 2076 wrote to memory of 4248	2076	87f80f62e4d7e3cdfa712fc109bc79a4.exe	tasksche.exe
PID 2076 wrote to memory of 4248	2076	87f80f62e4d7e3cdfa712fc109bc79a4.exe	tasksche.exe

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
2⤵
- Executes dropped EXE
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 220
3⤵
- Program crash
PID:3468

C:\Users\Admin\AppData\Local\Temp\87f80f62e4d7e3cdfa712fc109bc79a4.exe
C:\Users\Admin\AppData\Local\Temp\87f80f62e4d7e3cdfa712fc109bc79a4.exe -m security
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4248 -ip 4248
1⤵
PID:2032

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\WINDOWS\tasksche.exe
Filesize
3.4MB

MD5
f78f0687753655dfa05483afeed87e95

SHA1
4a9821ef8b85c2c61168e9a143a4ea43dda15e1c

SHA256
ff24805aaa26c840eae9996c8ac7bcb7050b55a9f61436be71e9cf8e21634a00

SHA512
23516197d198fb04c5ad01867f6eaaf447002ba3a2a21db850fae4cca242f7da4e64cfa295b05008c5aef8863b5c5aa558bd324c6e26bb2a9836b23bdb87348a

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
f78f0687753655dfa05483afeed87e95

SHA1
4a9821ef8b85c2c61168e9a143a4ea43dda15e1c

SHA256
ff24805aaa26c840eae9996c8ac7bcb7050b55a9f61436be71e9cf8e21634a00

SHA512
23516197d198fb04c5ad01867f6eaaf447002ba3a2a21db850fae4cca242f7da4e64cfa295b05008c5aef8863b5c5aa558bd324c6e26bb2a9836b23bdb87348a

Download Submit
memory/4248-132-0x0000000000000000-mapping.dmp

Download