Analysis

  • max time kernel
    138s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2022 03:58

General

  • Target

    eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe

  • Size

    5.0MB

  • MD5

    52b9761a0fb6f9bf4d62d60e512d63cc

  • SHA1

    08d125e7c0d547654de44956bdb9d006348069e8

  • SHA256

    eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7

  • SHA512

    735aedf16fc681a01300543c8a5c13cb8cedbbdb7af85cf79d9dcaf2c559105fb8cf7454807fc3e6fa3ac54481532ab8c76667e6c383603db5da7659a5e589c9

  • SSDEEP

    49152:3nwMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvw:3wPoBhz1aRxcSUDk36SAEdhvw

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 49 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe
    "C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe"
    1⤵
    • Drops file in Windows directory
    PID:1932
  • C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe
    C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 568
      2⤵
      • Program crash
      PID:784
  • C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe
    C:\Users\Admin\AppData\Local\Temp\eafa317c34a868cb700a943c6abc04025bc8e5589afab1ab457372c51eb971d7.exe -m security
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 560
      2⤵
      • Program crash
      PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/784-56-0x0000000000000000-mapping.dmp
  • memory/1068-58-0x0000000000000000-mapping.dmp
  • memory/1932-54-0x0000000075F51000-0x0000000075F53000-memory.dmp
    Filesize

    8KB