Analysis
-
max time kernel
153s -
max time network
246s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 19:13
Static task
static1
Behavioral task
behavioral1
Sample
9e0831bbad2cf01947e7bc48bb3e541e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9e0831bbad2cf01947e7bc48bb3e541e.exe
Resource
win10v2004-20220812-en
General
-
Target
9e0831bbad2cf01947e7bc48bb3e541e.exe
-
Size
3.6MB
-
MD5
9e0831bbad2cf01947e7bc48bb3e541e
-
SHA1
54da937e67ef0a839a12caff913fa6ff2e4bbc5d
-
SHA256
ae78d50f80b03b2c8bab5a189f4af890ab753dd7cfc73494b0d22f44fac599b7
-
SHA512
1e75525a893042dc8a8a38d7dd5c890742d16aa587f89b55ca7d584c8a59744c0569bb4321677af9d04a7a7f5abcb7e15969332064ac6b798a6c8feaf1eb219d
-
SSDEEP
49152:2nAQhMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:yDhPoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2677) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2592 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
9e0831bbad2cf01947e7bc48bb3e541e.exedescription ioc process File created C:\WINDOWS\tasksche.exe 9e0831bbad2cf01947e7bc48bb3e541e.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
9e0831bbad2cf01947e7bc48bb3e541e.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 9e0831bbad2cf01947e7bc48bb3e541e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 9e0831bbad2cf01947e7bc48bb3e541e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 9e0831bbad2cf01947e7bc48bb3e541e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 9e0831bbad2cf01947e7bc48bb3e541e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 9e0831bbad2cf01947e7bc48bb3e541e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e0831bbad2cf01947e7bc48bb3e541e.exe"C:\Users\Admin\AppData\Local\Temp\9e0831bbad2cf01947e7bc48bb3e541e.exe"1⤵
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\9e0831bbad2cf01947e7bc48bb3e541e.exeC:\Users\Admin\AppData\Local\Temp\9e0831bbad2cf01947e7bc48bb3e541e.exe -m security1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD58335fd04836371943cc21abdff044dc8
SHA109291038edc5aef2e6a6d4a6c9657fd544fa529a
SHA256746b1c39889681e4d2f2851249c5592ab11024b58167290589e2dea056de260f
SHA512d7d5c214206aaeb662c907ad5218873264dfd1fde12070fdddd09d692b3e597b8de89afff704403d454fb74e1282ba1dd2b8e3b7239251e752e92363f84183a1