Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 06:31
Static task
static1
Behavioral task
behavioral1
Sample
8a8b241a3395b9d5a710ef4239f121df1489b8a46abd6b0c8fad55905df06fba.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
8a8b241a3395b9d5a710ef4239f121df1489b8a46abd6b0c8fad55905df06fba.dll
Resource
win10v20210410
General
-
Target
8a8b241a3395b9d5a710ef4239f121df1489b8a46abd6b0c8fad55905df06fba.dll
-
Size
5.0MB
-
MD5
e47b15b0137d90824863a9dc6d105647
-
SHA1
c233929bb352bb8b5e4a02cfc0570b246d5e6eb5
-
SHA256
8a8b241a3395b9d5a710ef4239f121df1489b8a46abd6b0c8fad55905df06fba
-
SHA512
04f2fb645d7e4b11feda8c3270fd543fccdb3341690d437b4279a33bfaef646db85d64f133f2bfc982140d967c8205d27fe0246654f9d71a9adacc2c6c417a87
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 576 mssecsvc.exe 2696 mssecsvc.exe 3520 tasksche.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3456 wrote to memory of 3904 3456 rundll32.exe rundll32.exe PID 3456 wrote to memory of 3904 3456 rundll32.exe rundll32.exe PID 3456 wrote to memory of 3904 3456 rundll32.exe rundll32.exe PID 3904 wrote to memory of 576 3904 rundll32.exe mssecsvc.exe PID 3904 wrote to memory of 576 3904 rundll32.exe mssecsvc.exe PID 3904 wrote to memory of 576 3904 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a8b241a3395b9d5a710ef4239f121df1489b8a46abd6b0c8fad55905df06fba.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a8b241a3395b9d5a710ef4239f121df1489b8a46abd6b0c8fad55905df06fba.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:576 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3520
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2696
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
7b11d4c3dda0783cc64cc15eb73f81a3
SHA1a759114bbebd9085aef153a996835d7e3fade6a0
SHA25601288f5bf5390ae8e0dfab80ff4971fb3e4fa8179a363ffeb2ff0dcfd43c583b
SHA512698a0d82b5649b1f9ce8de84e5afc900297c026b475d0d990f8d79f5f69675ffab32f2eaf1b4d9e78c2e9fda80cd5f99482e426e3154fc0948d58dfcaa6f1ac1
-
C:\Windows\mssecsvc.exeMD5
7b11d4c3dda0783cc64cc15eb73f81a3
SHA1a759114bbebd9085aef153a996835d7e3fade6a0
SHA25601288f5bf5390ae8e0dfab80ff4971fb3e4fa8179a363ffeb2ff0dcfd43c583b
SHA512698a0d82b5649b1f9ce8de84e5afc900297c026b475d0d990f8d79f5f69675ffab32f2eaf1b4d9e78c2e9fda80cd5f99482e426e3154fc0948d58dfcaa6f1ac1
-
C:\Windows\mssecsvc.exeMD5
7b11d4c3dda0783cc64cc15eb73f81a3
SHA1a759114bbebd9085aef153a996835d7e3fade6a0
SHA25601288f5bf5390ae8e0dfab80ff4971fb3e4fa8179a363ffeb2ff0dcfd43c583b
SHA512698a0d82b5649b1f9ce8de84e5afc900297c026b475d0d990f8d79f5f69675ffab32f2eaf1b4d9e78c2e9fda80cd5f99482e426e3154fc0948d58dfcaa6f1ac1
-
C:\Windows\tasksche.exeMD5
57c379e1881a5aa6e789abec995953ec
SHA18b9026ddc297aed71d5457107c3857f0fc48deb7
SHA2563a8cf4f23866d8cd7b3ca2ce2a35297fd2b520323c5e5b4510a50ea5dba879a8
SHA51271eae2e0f696c2e792dd06457cb20e9df0a7e8c794053e0bad7aa141cd37f87a6dfe63c411d1014043011004245a6c701c7b8337492dfa72ec54caafa18fdff9
-
memory/576-115-0x0000000000000000-mapping.dmp
-
memory/3904-114-0x0000000000000000-mapping.dmp