Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2022 21:34
Static task
static1
Behavioral task
behavioral1
Sample
1660afa6704de7febc3a0d177aa2ed1e.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1660afa6704de7febc3a0d177aa2ed1e.exe
Resource
win10v2004-20220901-en
General
-
Target
1660afa6704de7febc3a0d177aa2ed1e.exe
-
Size
3.6MB
-
MD5
1660afa6704de7febc3a0d177aa2ed1e
-
SHA1
fa4804674193a4c9a5b55fbf9aea55d060e7a7c5
-
SHA256
c4864b9cd0e9d0cf393b0da8126ba7928c3e1a2f7dc2bfdaf463086c1a079b6e
-
SHA512
8733e67795ba1ab89190b3dba8cf545ec48c61ef5062bcc8782e8e1ff523314bcd47e06858bf808310debb10163922b39f448ab75c8b6e9e1a140d15b512b602
-
SSDEEP
49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhn:yDqPoBhz1aRxcSUDk36SAEdh
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3367) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1104 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
1660afa6704de7febc3a0d177aa2ed1e.exedescription ioc process File created C:\WINDOWS\tasksche.exe 1660afa6704de7febc3a0d177aa2ed1e.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
1660afa6704de7febc3a0d177aa2ed1e.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 1660afa6704de7febc3a0d177aa2ed1e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 1660afa6704de7febc3a0d177aa2ed1e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 1660afa6704de7febc3a0d177aa2ed1e.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 1660afa6704de7febc3a0d177aa2ed1e.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 1660afa6704de7febc3a0d177aa2ed1e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1660afa6704de7febc3a0d177aa2ed1e.exe"C:\Users\Admin\AppData\Local\Temp\1660afa6704de7febc3a0d177aa2ed1e.exe"1⤵
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\1660afa6704de7febc3a0d177aa2ed1e.exeC:\Users\Admin\AppData\Local\Temp\1660afa6704de7febc3a0d177aa2ed1e.exe -m security1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ac285f64f82f836e71377a718bb9c1b2
SHA14e79e15422ac6bb13e80c086c16c3aef19afd86a
SHA256ead37781b7d1fc2ac063d4876a0e0b8db6f7c3364c16d9f72bc1ad95b4685c8e
SHA5127faccc80bf5af6152c0e42746632c45e71e0fa4edbbf495e200c604ba0fe6808956af3d31270ac444e74bbd996f9a81a43edbbb69b8f6873bfba801fe178ccfa