Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 00:36
Static task
static1
Behavioral task
behavioral1
Sample
7a8f03f878be1a9edf1fd5c0d4bef4808be8434410030c2e8f2e9257553cc728.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
7a8f03f878be1a9edf1fd5c0d4bef4808be8434410030c2e8f2e9257553cc728.dll
Resource
win10v20210410
General
-
Target
7a8f03f878be1a9edf1fd5c0d4bef4808be8434410030c2e8f2e9257553cc728.dll
-
Size
5.0MB
-
MD5
17243fc984cc18f6bfc96752869722fe
-
SHA1
cb603f094c226fb668a93dd6eaef4dbcda9a0a92
-
SHA256
7a8f03f878be1a9edf1fd5c0d4bef4808be8434410030c2e8f2e9257553cc728
-
SHA512
98ebe3e9f6d6f04f6c9b479e5964094dfa204396f8b012afdcb66e2be325ec2ed4e590df08a78b19959eee7a9e65b0396092d3908a68096fb128408bf78fda23
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1268 mssecsvc.exe 3300 mssecsvc.exe -
Drops file in System32 directory 7 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\KTSPS5V6.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\KTSPS5V6.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4020 wrote to memory of 4052 4020 rundll32.exe rundll32.exe PID 4020 wrote to memory of 4052 4020 rundll32.exe rundll32.exe PID 4020 wrote to memory of 4052 4020 rundll32.exe rundll32.exe PID 4052 wrote to memory of 1268 4052 rundll32.exe mssecsvc.exe PID 4052 wrote to memory of 1268 4052 rundll32.exe mssecsvc.exe PID 4052 wrote to memory of 1268 4052 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a8f03f878be1a9edf1fd5c0d4bef4808be8434410030c2e8f2e9257553cc728.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a8f03f878be1a9edf1fd5c0d4bef4808be8434410030c2e8f2e9257553cc728.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
c7d159397b5c4b1c816151e15d15c786
SHA18deb664e15e2d9f732bf37096dc224bcb59c7200
SHA256cc21463955684526ed9ebf2c70269a08ee5e8b44c9f64d398406c0e2727f1e8c
SHA51211a96bd4ede3365cebb1b8759da35057afbf690df1197da2c42ab62461934bfcf7e34b4f45362aba354eeef6721b392f103a142371d05035b7bfddf8385b0900
-
C:\Windows\mssecsvc.exeMD5
c7d159397b5c4b1c816151e15d15c786
SHA18deb664e15e2d9f732bf37096dc224bcb59c7200
SHA256cc21463955684526ed9ebf2c70269a08ee5e8b44c9f64d398406c0e2727f1e8c
SHA51211a96bd4ede3365cebb1b8759da35057afbf690df1197da2c42ab62461934bfcf7e34b4f45362aba354eeef6721b392f103a142371d05035b7bfddf8385b0900
-
C:\Windows\mssecsvc.exeMD5
c7d159397b5c4b1c816151e15d15c786
SHA18deb664e15e2d9f732bf37096dc224bcb59c7200
SHA256cc21463955684526ed9ebf2c70269a08ee5e8b44c9f64d398406c0e2727f1e8c
SHA51211a96bd4ede3365cebb1b8759da35057afbf690df1197da2c42ab62461934bfcf7e34b4f45362aba354eeef6721b392f103a142371d05035b7bfddf8385b0900
-
memory/1268-115-0x0000000000000000-mapping.dmp
-
memory/4052-114-0x0000000000000000-mapping.dmp