Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
16-10-2020 21:37
Static task
static1
Behavioral task
behavioral1
Sample
5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e.dll
Resource
win7v200722
Behavioral task
behavioral2
Sample
5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e.dll
Resource
win10v200722
General
-
Target
5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e.dll
-
Size
5.0MB
-
MD5
6f2a81fa5f34458251c0816159efb6ca
-
SHA1
7e211a896555b09996bc53f340af713f579dadfa
-
SHA256
5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e
-
SHA512
31df3240675d10d15ac4b272a92425b46ffe6ee4d397a5d34179a09318feb61c70642e7ec1df568998b43686c07a2a8312a31981cf51a2f60a21c53bc04cd499
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3956 mssecsvc.exe 4012 mssecsvc.exe 2560 tasksche.exe -
Drops file in System32 directory 7 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\EX0WFP2N.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\EX0WFP2N.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 864 wrote to memory of 1728 864 rundll32.exe rundll32.exe PID 864 wrote to memory of 1728 864 rundll32.exe rundll32.exe PID 864 wrote to memory of 1728 864 rundll32.exe rundll32.exe PID 1728 wrote to memory of 3956 1728 rundll32.exe mssecsvc.exe PID 1728 wrote to memory of 3956 1728 rundll32.exe mssecsvc.exe PID 1728 wrote to memory of 3956 1728 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e28e910940af14e17d57de2977c2019fe81e8546c7daeab2725c5927ce4ce1e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
aaac4f4442ab7478126d61316c740afe
SHA122125cfa3072adc8d1a05859c4f83f445db68a61
SHA256816adc100114f8fb4cb8abd9566496cec3af255e5ec131c50e50b64d975ecaca
SHA512acf29483cf37a7104b80f580a3cb21b185258f993c23e097674863dc8a83759839ce5cea21ac160e306aa07f5fbe0dd0878466f5b334dd8002e61918ea26cb9b
-
C:\Windows\mssecsvc.exeMD5
aaac4f4442ab7478126d61316c740afe
SHA122125cfa3072adc8d1a05859c4f83f445db68a61
SHA256816adc100114f8fb4cb8abd9566496cec3af255e5ec131c50e50b64d975ecaca
SHA512acf29483cf37a7104b80f580a3cb21b185258f993c23e097674863dc8a83759839ce5cea21ac160e306aa07f5fbe0dd0878466f5b334dd8002e61918ea26cb9b
-
C:\Windows\mssecsvc.exeMD5
aaac4f4442ab7478126d61316c740afe
SHA122125cfa3072adc8d1a05859c4f83f445db68a61
SHA256816adc100114f8fb4cb8abd9566496cec3af255e5ec131c50e50b64d975ecaca
SHA512acf29483cf37a7104b80f580a3cb21b185258f993c23e097674863dc8a83759839ce5cea21ac160e306aa07f5fbe0dd0878466f5b334dd8002e61918ea26cb9b
-
C:\Windows\tasksche.exeMD5
a32d2c5d51aafaa54ae3117db26b72ce
SHA1e6e0a521f95d78b4897b7e24ca4cf76eac9b6d84
SHA256011ae0697f87e8b45d3815e15655e3ee86f438f2a03e1e5fae5b424d9aad7603
SHA5128da0b7bbda1bfb38f9c38c8ee00796ac5415bf1d2f4dd9d6ec69c4c2a2c4f3fdee136550f3a88772d9383513f7585b71cddf74ff68ace8cd8ecc4b8b00342864
-
memory/1728-0-0x0000000000000000-mapping.dmp
-
memory/3956-1-0x0000000000000000-mapping.dmp