Analysis
-
max time kernel
161s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-09-2022 16:43
Static task
static1
Behavioral task
behavioral1
Sample
3259b250e93b5050a27a6de5a92c2ce0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3259b250e93b5050a27a6de5a92c2ce0.exe
Resource
win10v2004-20220812-en
General
-
Target
3259b250e93b5050a27a6de5a92c2ce0.exe
-
Size
3.6MB
-
MD5
3259b250e93b5050a27a6de5a92c2ce0
-
SHA1
a010bfdecd5bf99ab7e45fdd15b5d2937233e01f
-
SHA256
74e59e259f327ebc2e616d449acfb97fbb43823dd368df95b12c5d23cd0c1e46
-
SHA512
fb25b6ba459935ccda8772b4beaf47d0d016676d5fd210dc344e2ae20c7f573b9a374e7279d1ba358d30f85f1fa9728b3708369b6bdfe3efd764c6f38beb15f4
-
SSDEEP
49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA1PAMEc:yDqPoBhz1aRxcSUDk36SAgP5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1194) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1548 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
3259b250e93b5050a27a6de5a92c2ce0.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 3259b250e93b5050a27a6de5a92c2ce0.exe -
Drops file in Windows directory 1 IoCs
Processes:
3259b250e93b5050a27a6de5a92c2ce0.exedescription ioc process File created C:\WINDOWS\tasksche.exe 3259b250e93b5050a27a6de5a92c2ce0.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
3259b250e93b5050a27a6de5a92c2ce0.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecision = "0" 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionTime = c0de1cf920cdd801 3259b250e93b5050a27a6de5a92c2ce0.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C} 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionTime = c0de1cf920cdd801 3259b250e93b5050a27a6de5a92c2ce0.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3259b250e93b5050a27a6de5a92c2ce0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" 3259b250e93b5050a27a6de5a92c2ce0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 3259b250e93b5050a27a6de5a92c2ce0.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76 3259b250e93b5050a27a6de5a92c2ce0.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\f2-0c-50-c0-d1-76 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecisionReason = "1" 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-0c-50-c0-d1-76\WpadDecision = "0" 3259b250e93b5050a27a6de5a92c2ce0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 3259b250e93b5050a27a6de5a92c2ce0.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadDecisionReason = "1" 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32173189-9B1B-497B-B864-B1A4CF51DF2C}\WpadNetworkName = "Network 3" 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix 3259b250e93b5050a27a6de5a92c2ce0.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 3259b250e93b5050a27a6de5a92c2ce0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3259b250e93b5050a27a6de5a92c2ce0.exe"C:\Users\Admin\AppData\Local\Temp\3259b250e93b5050a27a6de5a92c2ce0.exe"1⤵
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3259b250e93b5050a27a6de5a92c2ce0.exeC:\Users\Admin\AppData\Local\Temp\3259b250e93b5050a27a6de5a92c2ce0.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD505873a57dd67c3a3ef195508f727eb72
SHA15bfb52f23c9e30eb11c7d058f747240a41cc131f
SHA2561dd54f3158608cad43e3584fc0706b0c42f7e5b10349365047a89bb1c12c0c54
SHA51235cba64e4f7659c55290aa0c1ca2c11ac2b4310b4b58c26d154b68cdd684e0a5a9ddcf6d21ec7b2213838a1de1600193858989dffcf3944643a4d27930b2eaef
-
memory/1980-54-0x00000000756B1000-0x00000000756B3000-memory.dmpFilesize
8KB