Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-09-2022 19:50
Static task
static1
Behavioral task
behavioral1
Sample
b562c6ed92797b8227b94d4f6aed36dd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b562c6ed92797b8227b94d4f6aed36dd.exe
Resource
win10v2004-20220812-en
General
-
Target
b562c6ed92797b8227b94d4f6aed36dd.exe
-
Size
3.6MB
-
MD5
b562c6ed92797b8227b94d4f6aed36dd
-
SHA1
9c3bf8ecc5e2422ae51fe671b24281959b3d6bb3
-
SHA256
194dd7372ab80502948532d6f99a461b5c6d98c34438d0b2618e2385c44ffde7
-
SHA512
66e6ae549cdf4056096d0afb8de77ffe716ff75c411abc5b1be06c043250b9491fee766fa8668d8f51dc3b5ddc9fa2027434a3317f6d9b64d4af1cc0eea6d7a3
-
SSDEEP
49152:2nAQqMSPbcBVQej/i9MFyQTBlVPkn/RqqoQdEau3R8yAH1plAHI:yDqPoBhzi9tQLkn/REN3R8yAVp2HI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1277) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1612 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
b562c6ed92797b8227b94d4f6aed36dd.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat b562c6ed92797b8227b94d4f6aed36dd.exe -
Drops file in Windows directory 1 IoCs
Processes:
b562c6ed92797b8227b94d4f6aed36dd.exedescription ioc process File created C:\WINDOWS\tasksche.exe b562c6ed92797b8227b94d4f6aed36dd.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
b562c6ed92797b8227b94d4f6aed36dd.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" b562c6ed92797b8227b94d4f6aed36dd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0096000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 b562c6ed92797b8227b94d4f6aed36dd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" b562c6ed92797b8227b94d4f6aed36dd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FF56848-E06C-4928-AC6F-0309D97B96F4}\WpadDecisionTime = 202e5500cdc3d801 b562c6ed92797b8227b94d4f6aed36dd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings b562c6ed92797b8227b94d4f6aed36dd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix b562c6ed92797b8227b94d4f6aed36dd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" b562c6ed92797b8227b94d4f6aed36dd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" b562c6ed92797b8227b94d4f6aed36dd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FF56848-E06C-4928-AC6F-0309D97B96F4} b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FF56848-E06C-4928-AC6F-0309D97B96F4}\WpadDecisionReason = "1" b562c6ed92797b8227b94d4f6aed36dd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections b562c6ed92797b8227b94d4f6aed36dd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 b562c6ed92797b8227b94d4f6aed36dd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-5c-dc-47-84-04 b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-5c-dc-47-84-04\WpadDecisionReason = "1" b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FF56848-E06C-4928-AC6F-0309D97B96F4}\WpadDecision = "0" b562c6ed92797b8227b94d4f6aed36dd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FF56848-E06C-4928-AC6F-0309D97B96F4}\WpadNetworkName = "Network 3" b562c6ed92797b8227b94d4f6aed36dd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad b562c6ed92797b8227b94d4f6aed36dd.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FF56848-E06C-4928-AC6F-0309D97B96F4}\86-5c-dc-47-84-04 b562c6ed92797b8227b94d4f6aed36dd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-5c-dc-47-84-04\WpadDecisionTime = 202e5500cdc3d801 b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-5c-dc-47-84-04\WpadDecision = "0" b562c6ed92797b8227b94d4f6aed36dd.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 b562c6ed92797b8227b94d4f6aed36dd.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" b562c6ed92797b8227b94d4f6aed36dd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe"C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe"1⤵
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exeC:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD535d068c0d4e64720648dc40b64344412
SHA1ae4b9c1fe950e6ec0d2531806b92c699d7a9a2ae
SHA256cf119ef88df787c995341c0204bf3c6a50ada1c04b5737197710dcfa5a101c4f
SHA51261ea9f3959ea0b5dff1ab7520bc609e844fa3a7fca9c8b63dfe5d62f5d63709dc0e5e03c182259504177d4e9272dc16d94b9ea5b4a36148c4c7b5b2e428cb56e
-
memory/536-54-0x0000000076831000-0x0000000076833000-memory.dmpFilesize
8KB