Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2022 19:49

General

  • Target

    13c48f1c0755effc4376bfa52f387d3c.exe

  • Size

    2MB

  • MD5

    13c48f1c0755effc4376bfa52f387d3c

  • SHA1

    0ac1498a610347334450f1918bab617579914612

  • SHA256

    1b519d3c9e1032164f405a499e5bab8bb1679b8ef545c910ef967c4961148edd

  • SHA512

    447867c298fc7b02c7fdfdaaa3e15ae1b9aa7c924ebf07d8567c4b5c18ecd16f9303c7e1c24e9521381f5f0027c40552bcaf7c5497d53395b830ecbce529e9ad

  • SSDEEP

    49152:QnsdEKUacBVQej/1INRx+TSqTdX1HkQo6SAARdhnvn:QCyfBhz1aRxcSUDk36SAEdhvn

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3206) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe
    "C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:1648
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 596
        3⤵
        • Program crash
        PID:3132
  • C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe
    C:\Users\Admin\AppData\Local\Temp\13c48f1c0755effc4376bfa52f387d3c.exe -m security
    1⤵
    • Modifies data under HKEY_USERS
    PID:4692
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1648 -ip 1648
    1⤵
      PID:1164

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Network Service Scanning

    2
    T1046

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\WINDOWS\tasksche.exe
      Filesize

      1MB

      MD5

      9cbde1a45c70eb9a71afe6c68b1c554d

      SHA1

      6ae0c0a8a03f114997568ff0396d1ded9c33e15c

      SHA256

      1f219a2df3d2eb0a9cf4a624c6ecc128d3dfce19134b6fe7c20d329a415a7153

      SHA512

      ba863bc87a9d87044fe99238ba76384e4989d356b0aee04bb70a132c8e840568dcff0c2525c4d0f981eab6fb275c03a0d7181cef73fd75592e5ccdf4f429f2c1

    • C:\Windows\tasksche.exe
      Filesize

      1MB

      MD5

      9cbde1a45c70eb9a71afe6c68b1c554d

      SHA1

      6ae0c0a8a03f114997568ff0396d1ded9c33e15c

      SHA256

      1f219a2df3d2eb0a9cf4a624c6ecc128d3dfce19134b6fe7c20d329a415a7153

      SHA512

      ba863bc87a9d87044fe99238ba76384e4989d356b0aee04bb70a132c8e840568dcff0c2525c4d0f981eab6fb275c03a0d7181cef73fd75592e5ccdf4f429f2c1

    • memory/1648-132-0x0000000000000000-mapping.dmp