Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 12:33
Static task
static1
Behavioral task
behavioral1
Sample
6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08.dll
Resource
win10v20210408
General
-
Target
6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08.dll
-
Size
5.0MB
-
MD5
51b2d63e9620e8cc494f44c9fe856a09
-
SHA1
4ba0268089ede8bc03655848904bdbbf31e8e590
-
SHA256
6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08
-
SHA512
41bf9614e8a9cbf8c52e255d82ca8af8be9fd076fece0d5c9ecfbb89ce1c278599b44d81b8dfc0190643e5890f31052aa6e6c67a4762dbf057d4ea586579f48b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2452 mssecsvc.exe 1232 mssecsvc.exe 956 tasksche.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 660 wrote to memory of 4000 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 4000 660 rundll32.exe rundll32.exe PID 660 wrote to memory of 4000 660 rundll32.exe rundll32.exe PID 4000 wrote to memory of 2452 4000 rundll32.exe mssecsvc.exe PID 4000 wrote to memory of 2452 4000 rundll32.exe mssecsvc.exe PID 4000 wrote to memory of 2452 4000 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6b714812ff41c8772a44becd25a135e628e3ca0cbc0ab1a9d78573828b7b4c08.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2452 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:956
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1232
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
ea850e72db29f2afeffd9a5d73fce46a
SHA123085cf73ae605e92dcf0b05c9eb753ccf2d2208
SHA2569ef975ddd81f1fadfd54dd5fca21c36406fc64cc94180de386574e7bf5e2d104
SHA51294dbeb10dfd9ef8680b307027ea49bff2d287c3ab3c82c602589c10db0a03c9de68cb126a1e3b874a94be98a7366541a5e0b5fe1cdcff53e2815578a85ba9ebd
-
C:\Windows\mssecsvc.exeMD5
ea850e72db29f2afeffd9a5d73fce46a
SHA123085cf73ae605e92dcf0b05c9eb753ccf2d2208
SHA2569ef975ddd81f1fadfd54dd5fca21c36406fc64cc94180de386574e7bf5e2d104
SHA51294dbeb10dfd9ef8680b307027ea49bff2d287c3ab3c82c602589c10db0a03c9de68cb126a1e3b874a94be98a7366541a5e0b5fe1cdcff53e2815578a85ba9ebd
-
C:\Windows\mssecsvc.exeMD5
ea850e72db29f2afeffd9a5d73fce46a
SHA123085cf73ae605e92dcf0b05c9eb753ccf2d2208
SHA2569ef975ddd81f1fadfd54dd5fca21c36406fc64cc94180de386574e7bf5e2d104
SHA51294dbeb10dfd9ef8680b307027ea49bff2d287c3ab3c82c602589c10db0a03c9de68cb126a1e3b874a94be98a7366541a5e0b5fe1cdcff53e2815578a85ba9ebd
-
C:\Windows\tasksche.exeMD5
9c1aa2b49383fada47dfe88d6da14b44
SHA1a0230d3601de00ddd893a399dc9c6d081aa2962a
SHA256a557bf0c29df2264aa58fd54d4c43f423288969425cf3bd15f618f0691fb6cc2
SHA512d6752103596a01c78450bba4625600e7ab03bb9b00c47a4b2ba47b8d0ac3af2aeeb03637789f2bd6403a7b87eb1e4fa39b6d53ce71767e9119562d0c8ea2eb8a
-
memory/2452-115-0x0000000000000000-mapping.dmp
-
memory/4000-114-0x0000000000000000-mapping.dmp