Malware Analysis Report

2025-08-05 15:28

Sample ID 250218-pnf3bazpfk
Target ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe
SHA256 ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26
Tags
wannacry discovery ransomware worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26

Threat Level: Known bad

The file ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe was found to be: Known bad.

Malicious Activity Summary

wannacry discovery ransomware worm

Wannacry

Wannacry family

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-18 12:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-18 12:28

Reported

2025-02-18 12:29

Platform

win10ltsc2021-20250218-en

Max time kernel

45s

Max time network

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe"

Signatures

Wannacry

ransomware worm wannacry

Wannacry family

wannacry

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\WINDOWS\tasksche.exe C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe

"C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe"

C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe

C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe -m security

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5004 -ip 5004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1124

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 103.224.212.215:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com udp
US 199.59.243.228:80 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 103.224.212.215:80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 199.59.243.228:80 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com tcp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.244.186:443 checkappexec.microsoft.com tcp

Files

N/A