Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2022 19:49
Static task
static1
Behavioral task
behavioral1
Sample
13c48f1c0755effc4376bfa52f387d3c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
13c48f1c0755effc4376bfa52f387d3c.exe
Resource
win10v2004-20220812-en
General
-
Target
13c48f1c0755effc4376bfa52f387d3c.exe
-
Size
2.2MB
-
MD5
13c48f1c0755effc4376bfa52f387d3c
-
SHA1
0ac1498a610347334450f1918bab617579914612
-
SHA256
1b519d3c9e1032164f405a499e5bab8bb1679b8ef545c910ef967c4961148edd
-
SHA512
447867c298fc7b02c7fdfdaaa3e15ae1b9aa7c924ebf07d8567c4b5c18ecd16f9303c7e1c24e9521381f5f0027c40552bcaf7c5497d53395b830ecbce529e9ad
-
SSDEEP
49152:QnsdEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhnvn:QCyfBhz1aRxcSUDk36SAEdhvn
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3206) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1648 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
13c48f1c0755effc4376bfa52f387d3c.exedescription ioc process File created C:\WINDOWS\tasksche.exe 13c48f1c0755effc4376bfa52f387d3c.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3132 1648 WerFault.exe tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
13c48f1c0755effc4376bfa52f387d3c.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 13c48f1c0755effc4376bfa52f387d3c.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 13c48f1c0755effc4376bfa52f387d3c.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 13c48f1c0755effc4376bfa52f387d3c.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 13c48f1c0755effc4376bfa52f387d3c.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 13c48f1c0755effc4376bfa52f387d3c.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
13c48f1c0755effc4376bfa52f387d3c.exedescription pid process target process PID 3500 wrote to memory of 1648 3500 13c48f1c0755effc4376bfa52f387d3c.exe tasksche.exe PID 3500 wrote to memory of 1648 3500 13c48f1c0755effc4376bfa52f387d3c.exe tasksche.exe PID 3500 wrote to memory of 1648 3500 13c48f1c0755effc4376bfa52f387d3c.exe tasksche.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe"C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 5963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exeC:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe -m security1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1648 -ip 16481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\tasksche.exeFilesize
2.0MB
MD59cbde1a45c70eb9a71afe6c68b1c554d
SHA16ae0c0a8a03f114997568ff0396d1ded9c33e15c
SHA2561f219a2df3d2eb0a9cf4a624c6ecc128d3dfce19134b6fe7c20d329a415a7153
SHA512ba863bc87a9d87044fe99238ba76384e4989d356b0aee04bb70a132c8e840568dcff0c2525c4d0f981eab6fb275c03a0d7181cef73fd75592e5ccdf4f429f2c1
-
C:\Windows\tasksche.exeFilesize
2.0MB
MD59cbde1a45c70eb9a71afe6c68b1c554d
SHA16ae0c0a8a03f114997568ff0396d1ded9c33e15c
SHA2561f219a2df3d2eb0a9cf4a624c6ecc128d3dfce19134b6fe7c20d329a415a7153
SHA512ba863bc87a9d87044fe99238ba76384e4989d356b0aee04bb70a132c8e840568dcff0c2525c4d0f981eab6fb275c03a0d7181cef73fd75592e5ccdf4f429f2c1
-
memory/1648-132-0x0000000000000000-mapping.dmp