Analysis
-
max time kernel
161s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2022 19:50
Static task
static1
Behavioral task
behavioral1
Sample
b562c6ed92797b8227b94d4f6aed36dd.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b562c6ed92797b8227b94d4f6aed36dd.exe
Resource
win10v2004-20220812-en
General
-
Target
b562c6ed92797b8227b94d4f6aed36dd.exe
-
Size
3.6MB
-
MD5
b562c6ed92797b8227b94d4f6aed36dd
-
SHA1
9c3bf8ecc5e2422ae51fe671b24281959b3d6bb3
-
SHA256
194dd7372ab80502948532d6f99a461b5c6d98c34438d0b2618e2385c44ffde7
-
SHA512
66e6ae549cdf4056096d0afb8de77ffe716ff75c411abc5b1be06c043250b9491fee766fa8668d8f51dc3b5ddc9fa2027434a3317f6d9b64d4af1cc0eea6d7a3
-
SSDEEP
49152:2nAQqMSPbcBVQej/i9MFyQTBlVPkn/RqqoQdEau3R8yAH1plAHI:yDqPoBhzi9tQLkn/REN3R8yAVp2HI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3006) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 4136 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
b562c6ed92797b8227b94d4f6aed36dd.exedescription ioc process File created C:\WINDOWS\tasksche.exe b562c6ed92797b8227b94d4f6aed36dd.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
b562c6ed92797b8227b94d4f6aed36dd.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" b562c6ed92797b8227b94d4f6aed36dd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" b562c6ed92797b8227b94d4f6aed36dd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe"C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe"1⤵
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exeC:\Users\Admin\AppData\Local\Temp\b562c6ed92797b8227b94d4f6aed36dd.exe -m security1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD535d068c0d4e64720648dc40b64344412
SHA1ae4b9c1fe950e6ec0d2531806b92c699d7a9a2ae
SHA256cf119ef88df787c995341c0204bf3c6a50ada1c04b5737197710dcfa5a101c4f
SHA51261ea9f3959ea0b5dff1ab7520bc609e844fa3a7fca9c8b63dfe5d62f5d63709dc0e5e03c182259504177d4e9272dc16d94b9ea5b4a36148c4c7b5b2e428cb56e