Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 15:23
Static task
static1
Behavioral task
behavioral1
Sample
41702a962d24752381830debe8bfa2a257b7f577174c2ee97ea4ac8279e24afe.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
41702a962d24752381830debe8bfa2a257b7f577174c2ee97ea4ac8279e24afe.dll
Resource
win10v20210408
General
-
Target
41702a962d24752381830debe8bfa2a257b7f577174c2ee97ea4ac8279e24afe.dll
-
Size
5.0MB
-
MD5
747b122d2ac5005ca8f29a5b8dc4a510
-
SHA1
1dfff0f3e4db78ce4b464384e6b10527aed21a83
-
SHA256
41702a962d24752381830debe8bfa2a257b7f577174c2ee97ea4ac8279e24afe
-
SHA512
aafd304192cf3ad707bcf3b9f936dbdccfd07f6f2640b684d4a3c9d04097eed6b7c6cd80955814ac1828cdcbc6fd7f6290131f6c53b686a5d83fa0012773e789
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 2212 mssecsvr.exe 2344 mssecsvr.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvr.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\WINDOWS\mssecsvr.exe rundll32.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 584 wrote to memory of 3160 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 3160 584 rundll32.exe rundll32.exe PID 584 wrote to memory of 3160 584 rundll32.exe rundll32.exe PID 3160 wrote to memory of 2212 3160 rundll32.exe mssecsvr.exe PID 3160 wrote to memory of 2212 3160 rundll32.exe mssecsvr.exe PID 3160 wrote to memory of 2212 3160 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41702a962d24752381830debe8bfa2a257b7f577174c2ee97ea4ac8279e24afe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41702a962d24752381830debe8bfa2a257b7f577174c2ee97ea4ac8279e24afe.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2212
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2344
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeMD5
06e78b5b0d8da6a5411613c4c75d27e7
SHA1cee5e801a9fbd7f50515983fe4784fdf91eea5a2
SHA2566396533d8a3fcef9bd5cc47449de1dd3c3c6dac03104c85f0a8cfae9e85f7dde
SHA512b3b9138fdc14fa2666e97ad08b3fad9ddebab7c523ed578e38794c3d4d55133318aa8094e5f94a4918ec510706ec8b2cf0a03107b12a3d4ab9c84b2a96ab9feb
-
C:\Windows\mssecsvr.exeMD5
06e78b5b0d8da6a5411613c4c75d27e7
SHA1cee5e801a9fbd7f50515983fe4784fdf91eea5a2
SHA2566396533d8a3fcef9bd5cc47449de1dd3c3c6dac03104c85f0a8cfae9e85f7dde
SHA512b3b9138fdc14fa2666e97ad08b3fad9ddebab7c523ed578e38794c3d4d55133318aa8094e5f94a4918ec510706ec8b2cf0a03107b12a3d4ab9c84b2a96ab9feb
-
C:\Windows\mssecsvr.exeMD5
06e78b5b0d8da6a5411613c4c75d27e7
SHA1cee5e801a9fbd7f50515983fe4784fdf91eea5a2
SHA2566396533d8a3fcef9bd5cc47449de1dd3c3c6dac03104c85f0a8cfae9e85f7dde
SHA512b3b9138fdc14fa2666e97ad08b3fad9ddebab7c523ed578e38794c3d4d55133318aa8094e5f94a4918ec510706ec8b2cf0a03107b12a3d4ab9c84b2a96ab9feb
-
memory/2212-115-0x0000000000000000-mapping.dmp
-
memory/3160-114-0x0000000000000000-mapping.dmp