Analysis
-
max time kernel
162s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2022 16:49
Static task
static1
Behavioral task
behavioral1
Sample
437bcfcc27e4ba1116f0159dde871bdb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
437bcfcc27e4ba1116f0159dde871bdb.exe
Resource
win10v2004-20220812-en
General
-
Target
437bcfcc27e4ba1116f0159dde871bdb.exe
-
Size
5.0MB
-
MD5
437bcfcc27e4ba1116f0159dde871bdb
-
SHA1
6e65905373c3ea527749fc52c219dfc45c76a5cb
-
SHA256
efa7b9b0cfd862cc6bca151d63cca7e5fd0da0d39ddbc327c6c2b340eb4dbe06
-
SHA512
3104ab347a641a8489c51989f925a0a0d008801e65ee2dae52c95ef03ad76323342dc574ab50fb51f3263fbdb0d25e9d6b4f5e4ff79c53144a6e879fc0e50211
-
SSDEEP
49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:XDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2995) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 728 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
437bcfcc27e4ba1116f0159dde871bdb.exedescription ioc process File created C:\WINDOWS\tasksche.exe 437bcfcc27e4ba1116f0159dde871bdb.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
437bcfcc27e4ba1116f0159dde871bdb.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 437bcfcc27e4ba1116f0159dde871bdb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 437bcfcc27e4ba1116f0159dde871bdb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 437bcfcc27e4ba1116f0159dde871bdb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 437bcfcc27e4ba1116f0159dde871bdb.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 437bcfcc27e4ba1116f0159dde871bdb.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe"C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe"1⤵
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exeC:\Users\Admin\AppData\Local\Temp\437bcfcc27e4ba1116f0159dde871bdb.exe -m security1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51cf3eb065ddbecfb5bf82c3a7f485240
SHA126859d3823d1313ffe5fcbabb16cc95be231fe76
SHA256a384045005889777a0d68368279f27e31e2e07996ca547ab90290cdf7f87734c
SHA5129e09527b0ea0df9f5369bf4a435021c62131953fe109e0865f87f64f8340480f5df7c127f0b262f61e045c767f970519848881f32f1b558f6135dcc658f321a5