Analysis

  • max time kernel
    165s
  • max time network
    181s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2022 16:49

General

  • Target

    437bcfcc27e4ba1116f0159dde871bdb.exe

  • Size

    4MB

  • MD5

    437bcfcc27e4ba1116f0159dde871bdb

  • SHA1

    6e65905373c3ea527749fc52c219dfc45c76a5cb

  • SHA256

    efa7b9b0cfd862cc6bca151d63cca7e5fd0da0d39ddbc327c6c2b340eb4dbe06

  • SHA512

    3104ab347a641a8489c51989f925a0a0d008801e65ee2dae52c95ef03ad76323342dc574ab50fb51f3263fbdb0d25e9d6b4f5e4ff79c53144a6e879fc0e50211

  • SSDEEP

    49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:XDqPoBhz1aRxcSUDk36SAEdhvxWa9P5

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1259) amount of remote hosts ⋅ 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE ⋅ 1 IoCs
  • Drops file in System32 directory ⋅ 1 IoCs
  • Drops file in Windows directory ⋅ 1 IoCs
  • Modifies data under HKEY_USERS ⋅ 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe
    "C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe"
    Drops file in Windows directory
    PID:856
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      Executes dropped EXE
      PID:1296
  • C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe
    C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe -m security
    Drops file in System32 directory
    Modifies data under HKEY_USERS
    PID:1060

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • C:\Windows\tasksche.exe
                          MD5

                          1cf3eb065ddbecfb5bf82c3a7f485240

                          SHA1

                          26859d3823d1313ffe5fcbabb16cc95be231fe76

                          SHA256

                          a384045005889777a0d68368279f27e31e2e07996ca547ab90290cdf7f87734c

                          SHA512

                          9e09527b0ea0df9f5369bf4a435021c62131953fe109e0865f87f64f8340480f5df7c127f0b262f61e045c767f970519848881f32f1b558f6135dcc658f321a5

                        • memory/856-54-0x0000000075D01000-0x0000000075D03000-memory.dmp