Analysis Overview
SHA256
ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26
Threat Level: Known bad
The file ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe was found to be: Known bad.
Malicious Activity Summary
Wannacry
Wannacry family
Drops file in System32 directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-18 12:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-18 12:28
Reported
2025-02-18 12:29
Platform
win10ltsc2021-20250218-en
Max time kernel
45s
Max time network
26s
Command Line
Signatures
Wannacry
Wannacry family
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\WINDOWS\tasksche.exe | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe
"C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe"
C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe
C:\Users\Admin\AppData\Local\Temp\ca0fd61f579ff8a0c7760cc8d5ae85e073c39f9413fb4dad4113933455ce1f26.exe -m security
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5004 -ip 5004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1124
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | udp |
| US | 103.224.212.215:80 | www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | tcp |
| US | 8.8.8.8:53 | ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | udp |
| US | 199.59.243.228:80 | ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | tcp |
| US | 103.224.212.215:80 | www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | tcp |
| US | 199.59.243.228:80 | ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | tcp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 51.140.244.186:443 | checkappexec.microsoft.com | tcp |