Analysis
-
max time kernel
73s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
09-10-2022 16:44
Static task
static1
Behavioral task
behavioral1
Sample
ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe
Resource
win10v2004-20220812-en
General
-
Target
ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe
-
Size
244KB
-
MD5
bd96a097cc41b1e0b452c537d445962f
-
SHA1
56046e20c82984abfd0febf669d7493f6d155cde
-
SHA256
ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f
-
SHA512
649b6898dedf3bea2488f584dc2a3947873c9fa1d3f872c67bb262be976643ac8204aec014f81ad5b03031f049c7227f193ee8fa58b32a84ecaad035ac9d6fdb
-
SSDEEP
3072:xmrhd5U1eigWcR+uiUg6p4FLlG4tlLpz+mmCkHFZjoHEo3m:xEd5+IZiZhLlG4NimmCK
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1876 784 WerFault.exe ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1468 AUDIODG.EXE Token: 33 1468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1468 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exepid process 784 ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exepid process 784 ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe 784 ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exedescription pid process target process PID 784 wrote to memory of 1876 784 ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe WerFault.exe PID 784 wrote to memory of 1876 784 ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe WerFault.exe PID 784 wrote to memory of 1876 784 ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe WerFault.exe PID 784 wrote to memory of 1876 784 ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe"C:\Users\Admin\AppData\Local\Temp\ac73e3c9e7ee62be2d2138fa5f8ef28679c0a191882b7a30e35ce7b89786935f.exe"1⤵
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 3122⤵
- Program crash
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4881⤵
- Suspicious use of AdjustPrivilegeToken