Analysis
-
max time kernel
394s -
max time network
392s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 22:24
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20240802-en
Errors
General
-
Target
http://google.com
Malware Config
Extracted
C:\Users\Admin\Downloads\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exeMEMZ.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation MEMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation MEMZ.exe -
Drops startup file 2 IoCs
Processes:
WannaCry (1).EXEdescription ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBD87.tmp WannaCry (1).EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBD9D.tmp WannaCry (1).EXE -
Executes dropped EXE 37 IoCs
Processes:
MEMZ.exeWannaCry (1).EXEtaskdl.exe@[email protected]@[email protected]taskhsvc.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exepid Process 1100 MEMZ.exe 5124 WannaCry (1).EXE 4296 taskdl.exe 2128 @[email protected] 5680 @[email protected] 5840 taskhsvc.exe 5956 MEMZ.exe 5800 MEMZ.exe 740 MEMZ.exe 5596 MEMZ.exe 5568 MEMZ.exe 5360 MEMZ.exe 5076 @[email protected] 5904 taskdl.exe 5900 taskse.exe 5916 @[email protected] 1628 taskdl.exe 1176 @[email protected] 5288 taskse.exe 5348 taskse.exe 3656 @[email protected] 4448 taskdl.exe 2588 @[email protected] 5388 taskse.exe 4388 taskdl.exe 4252 taskse.exe 3020 @[email protected] 4764 taskdl.exe 4840 taskse.exe 5032 @[email protected] 3924 taskdl.exe 2008 taskse.exe 4452 @[email protected] 2576 taskdl.exe 5784 taskse.exe 5260 @[email protected] 2940 taskdl.exe -
Loads dropped DLL 7 IoCs
Processes:
taskhsvc.exepid Process 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fnhuhmufqzho584 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 123 raw.githubusercontent.com 124 raw.githubusercontent.com 139 camo.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc Process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
WannaCry (1).EXE@[email protected]description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry (1).EXE Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MEMZ.exetaskse.exetaskse.exe@[email protected]MEMZ.exe@[email protected]@[email protected]taskdl.exetaskse.exe@[email protected]cmd.exe@[email protected]@[email protected]taskse.exe@[email protected]taskdl.execscript.exeMEMZ.exetaskse.exetaskse.exeWannaCry (1).EXEicacls.exereg.exetaskdl.exetaskdl.exetaskdl.exeMEMZ.exeattrib.exeMEMZ.execmd.exe@[email protected]cmd.exetaskhsvc.exe@[email protected]@[email protected]taskse.execmd.exeMEMZ.exetaskdl.exe@[email protected]taskse.exetaskdl.exeattrib.exetaskdl.exeMEMZ.exenotepad.exeWMIC.exetaskdl.exeregedit.exeexplorer.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry (1).EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskhsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language @[email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MEMZ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 3 IoCs
Processes:
msedge.exemsedge.exeexplorer.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{511A6B21-62DF-41A5-854F-1CBAC9610B1A} msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 598864.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 62223.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 426061.crdownload:SmartScreen msedge.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid Process 1480 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exetaskhsvc.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid Process 1440 msedge.exe 1440 msedge.exe 4272 msedge.exe 4272 msedge.exe 3716 identity_helper.exe 3716 identity_helper.exe 2304 msedge.exe 2304 msedge.exe 5976 msedge.exe 5976 msedge.exe 6104 msedge.exe 6104 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 2456 msedge.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5840 taskhsvc.exe 5956 MEMZ.exe 5956 MEMZ.exe 5800 MEMZ.exe 5800 MEMZ.exe 5800 MEMZ.exe 5956 MEMZ.exe 5800 MEMZ.exe 5956 MEMZ.exe 740 MEMZ.exe 740 MEMZ.exe 740 MEMZ.exe 5568 MEMZ.exe 5568 MEMZ.exe 740 MEMZ.exe 5956 MEMZ.exe 5956 MEMZ.exe 5800 MEMZ.exe 5800 MEMZ.exe 5596 MEMZ.exe 5596 MEMZ.exe 5596 MEMZ.exe 5596 MEMZ.exe 5956 MEMZ.exe 5956 MEMZ.exe 5800 MEMZ.exe 5800 MEMZ.exe 740 MEMZ.exe 740 MEMZ.exe 5568 MEMZ.exe 5568 MEMZ.exe 740 MEMZ.exe 740 MEMZ.exe 5568 MEMZ.exe 5568 MEMZ.exe 5800 MEMZ.exe 5800 MEMZ.exe 5956 MEMZ.exe 5956 MEMZ.exe 5596 MEMZ.exe 5596 MEMZ.exe 5956 MEMZ.exe 5800 MEMZ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regedit.exepid Process 1480 regedit.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid Process 4