Analysis
-
max time kernel
45s -
max time network
26s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250218-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
18/02/2025, 12:28
Static task
static1
Behavioral task
behavioral1
Sample
ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe
Resource
win10ltsc2021-20250218-en
General
-
Target
ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe
-
Size
5.0MB
-
MD5
f59c100dc24aee439206d9a3989232ce
-
SHA1
371e747153587bde7a8efb12f9484e4e23174f1f
-
SHA256
ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26
-
SHA512
ce4402cee0c19b1a7f61dc16e2cca0bf7d0e9f73a077384f62fd0cb8f4daff867cd6cdf17ee56299a2b706c617e907705385f15238871f53998bb67419d0ad69
-
SSDEEP
24576:hbtkVihdmMS7dhAdlvQihdmMJdhAdlv/jkQg6eX6SASkvdhAdlvw:huMS7dhMvaMJdhMv/jkQo6SAFdhMvw
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2720 5004 WerFault.exe 79 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe -
Modifies data under HKEY_USERS 8 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 648 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 648 7zFM.exe Token: 35 648 7zFM.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe"C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1628
-
C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exeC:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 11242⤵
- Program crash
PID:2720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5004 -ip 50041⤵PID:548
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:648