Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-05-2021 08:21
Static task
static1
Behavioral task
behavioral1
Sample
4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95.dll
Resource
win10v20210408
General
-
Target
4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95.dll
-
Size
5.0MB
-
MD5
36631678ad952e3a0f7dd5bccfa3d6f9
-
SHA1
a08159346ed12fb8c5dee8b1ce4c1fc3fda01254
-
SHA256
4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95
-
SHA512
a64e5af897931edb5cd57b421b922a070e5d3d92482eae4751a06a4d2ffa845f9b6db40cd83e1ceff3b9825c8875a11c77f26490294dba2bde64a6c0636e1768
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 768 mssecsvr.exe 200 mssecsvr.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvr.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\WINDOWS\mssecsvr.exe rundll32.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 852 wrote to memory of 1532 852 rundll32.exe rundll32.exe PID 852 wrote to memory of 1532 852 rundll32.exe rundll32.exe PID 852 wrote to memory of 1532 852 rundll32.exe rundll32.exe PID 1532 wrote to memory of 768 1532 rundll32.exe mssecsvr.exe PID 1532 wrote to memory of 768 1532 rundll32.exe mssecsvr.exe PID 1532 wrote to memory of 768 1532 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4aa86d876c03a70084d8bb7a240ffe06293496d5c4c3f77761360d2beacd2a95.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeMD5
ea3352c0ca904eda7ee140efe6f3b105
SHA1e64e377ee7e154826cdd00fa8cbf1705b752b6ff
SHA25644eed4ecc2c4a133eb595405934bbcb776431bcb560d4f1e9a52f22d0cc24502
SHA512d9fb1322b6b818ae71e2adc8abc42fab1fe5948c98fdcc366228e14d0bc1ac45c269cb833031d0002b9228bd33befd29c23464ab6ac6d7ed7cfd3ec41deca1a3
-
C:\Windows\mssecsvr.exeMD5
ea3352c0ca904eda7ee140efe6f3b105
SHA1e64e377ee7e154826cdd00fa8cbf1705b752b6ff
SHA25644eed4ecc2c4a133eb595405934bbcb776431bcb560d4f1e9a52f22d0cc24502
SHA512d9fb1322b6b818ae71e2adc8abc42fab1fe5948c98fdcc366228e14d0bc1ac45c269cb833031d0002b9228bd33befd29c23464ab6ac6d7ed7cfd3ec41deca1a3
-
C:\Windows\mssecsvr.exeMD5
ea3352c0ca904eda7ee140efe6f3b105
SHA1e64e377ee7e154826cdd00fa8cbf1705b752b6ff
SHA25644eed4ecc2c4a133eb595405934bbcb776431bcb560d4f1e9a52f22d0cc24502
SHA512d9fb1322b6b818ae71e2adc8abc42fab1fe5948c98fdcc366228e14d0bc1ac45c269cb833031d0002b9228bd33befd29c23464ab6ac6d7ed7cfd3ec41deca1a3
-
memory/768-115-0x0000000000000000-mapping.dmp
-
memory/1532-114-0x0000000000000000-mapping.dmp