Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    08-09-2022 19:49

General

  • Target

    13c48f1c0755effc4376bfa52f387d3c.exe

  • Size

    2MB

  • MD5

    13c48f1c0755effc4376bfa52f387d3c

  • SHA1

    0ac1498a610347334450f1918bab617579914612

  • SHA256

    1b519d3c9e1032164f405a499e5bab8bb1679b8ef545c910ef967c4961148edd

  • SHA512

    447867c298fc7b02c7fdfdaaa3e15ae1b9aa7c924ebf07d8567c4b5c18ecd16f9303c7e1c24e9521381f5f0027c40552bcaf7c5497d53395b830ecbce529e9ad

  • SSDEEP

    49152:QnsdEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhnvn:QCyfBhz1aRxcSUDk36SAEdhvn

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1299) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe
    "C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 224
        3⤵
        • Program crash
        PID:368
  • C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe
    C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe -m security
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1212

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Network Service Scanning

1
T1046

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\tasksche.exe
    Filesize

    1MB

    MD5

    9cbde1a45c70eb9a71afe6c68b1c554d

    SHA1

    6ae0c0a8a03f114997568ff0396d1ded9c33e15c

    SHA256

    1f219a2df3d2eb0a9cf4a624c6ecc128d3dfce19134b6fe7c20d329a415a7153

    SHA512

    ba863bc87a9d87044fe99238ba76384e4989d356b0aee04bb70a132c8e840568dcff0c2525c4d0f981eab6fb275c03a0d7181cef73fd75592e5ccdf4f429f2c1

  • C:\Windows\tasksche.exe
    Filesize

    1MB

    MD5

    9cbde1a45c70eb9a71afe6c68b1c554d

    SHA1

    6ae0c0a8a03f114997568ff0396d1ded9c33e15c

    SHA256

    1f219a2df3d2eb0a9cf4a624c6ecc128d3dfce19134b6fe7c20d329a415a7153

    SHA512

    ba863bc87a9d87044fe99238ba76384e4989d356b0aee04bb70a132c8e840568dcff0c2525c4d0f981eab6fb275c03a0d7181cef73fd75592e5ccdf4f429f2c1

  • memory/368-60-0x0000000000000000-mapping.dmp
  • memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp
    Filesize

    8KB

  • memory/1784-56-0x0000000000000000-mapping.dmp