Analysis
-
max time kernel
162s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 19:38
Static task
static1
Behavioral task
behavioral1
Sample
d3ec672641453f5c89df88d4f8406c2d.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d3ec672641453f5c89df88d4f8406c2d.exe
Resource
win10v2004-20220812-en
General
-
Target
d3ec672641453f5c89df88d4f8406c2d.exe
-
Size
5.0MB
-
MD5
d3ec672641453f5c89df88d4f8406c2d
-
SHA1
04d830bea0adf586eb26b87169f60f86496d8524
-
SHA256
c3afa515f5b594145699c0e55be85f72a18614fceb34def8587fc04fac5c2178
-
SHA512
17697e8b1c1cea78b3dd10543bfa3cb29b4b0511af05a2745f339391854914192fc6b8763313933d4f11f59600d09eee3aec043d0dfc1e01592fbb21cd47fc37
-
SSDEEP
98304:yDqPoBhz1aRxcSUDk36SAEdhvxWaN593R8yAVp2H:yDqPe1Cxcxk3ZAEUaNzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3341) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1112 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
d3ec672641453f5c89df88d4f8406c2d.exedescription ioc process File created C:\WINDOWS\tasksche.exe d3ec672641453f5c89df88d4f8406c2d.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
d3ec672641453f5c89df88d4f8406c2d.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" d3ec672641453f5c89df88d4f8406c2d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" d3ec672641453f5c89df88d4f8406c2d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" d3ec672641453f5c89df88d4f8406c2d.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" d3ec672641453f5c89df88d4f8406c2d.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ d3ec672641453f5c89df88d4f8406c2d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3ec672641453f5c89df88d4f8406c2d.exe"C:\Users\Admin\AppData\Local\Temp\d3ec672641453f5c89df88d4f8406c2d.exe"1⤵
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\d3ec672641453f5c89df88d4f8406c2d.exeC:\Users\Admin\AppData\Local\Temp\d3ec672641453f5c89df88d4f8406c2d.exe -m security1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59bba78cb86b7021eafc584a46d38bf14
SHA1499621d587e43c32e89bd3e406f71dba048f09bc
SHA256be6aff27c378fd6b83694b401b8c4e628114bd51221075ff3f21eb5e8ff6b7c4
SHA512ee4eff0214674776a45ccd1f485c69a5a88b9a3e9b6e1732742275aeba4a99de1e1520501a47adbb9182ef8d18917e777c9ebc909aff6215724c263c2e7091ed