Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488.dll
Resource
win10v20210410
General
-
Target
9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488.dll
-
Size
5.0MB
-
MD5
ce494e90f5ba942a3f1c0fe557e598bf
-
SHA1
f9b816aa2e019d192de555ed7fe0fd9aba1d4f68
-
SHA256
9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488
-
SHA512
6212b2f7e188048dd83d58db5b42b6cfad34b41f223c94d4996a6402d827bdcb2ff41b8d92992cc399b8582c3f9862e93f7a47409c7edacfb43c1556d57995e1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 184 mssecsvc.exe 1532 mssecsvc.exe 2384 tasksche.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3232 wrote to memory of 3700 3232 rundll32.exe rundll32.exe PID 3232 wrote to memory of 3700 3232 rundll32.exe rundll32.exe PID 3232 wrote to memory of 3700 3232 rundll32.exe rundll32.exe PID 3700 wrote to memory of 184 3700 rundll32.exe mssecsvc.exe PID 3700 wrote to memory of 184 3700 rundll32.exe mssecsvc.exe PID 3700 wrote to memory of 184 3700 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ce656f2fdeef73ccf15b8589b150d2a5e3d22b03c1947d7e2f65e69e4909488.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
3d3b7e106612cc5086ef3e8aff697829
SHA1b25e174d297361d98dc6d9248c1a858346135648
SHA256d26d0b5d6dd45a1c25aa5b5202f139eb90ded45216aaba4a6321f9e3ec5fd94a
SHA5122df70df4cb5b9d2343f78f2bedc7fcccfd0bd2c8c95e6d27688669d9889616a12e264f2d9d963fb85d3501d571094a8f41a9f95ea54ffe621a160af8fda26f41
-
C:\Windows\mssecsvc.exeMD5
3d3b7e106612cc5086ef3e8aff697829
SHA1b25e174d297361d98dc6d9248c1a858346135648
SHA256d26d0b5d6dd45a1c25aa5b5202f139eb90ded45216aaba4a6321f9e3ec5fd94a
SHA5122df70df4cb5b9d2343f78f2bedc7fcccfd0bd2c8c95e6d27688669d9889616a12e264f2d9d963fb85d3501d571094a8f41a9f95ea54ffe621a160af8fda26f41
-
C:\Windows\mssecsvc.exeMD5
3d3b7e106612cc5086ef3e8aff697829
SHA1b25e174d297361d98dc6d9248c1a858346135648
SHA256d26d0b5d6dd45a1c25aa5b5202f139eb90ded45216aaba4a6321f9e3ec5fd94a
SHA5122df70df4cb5b9d2343f78f2bedc7fcccfd0bd2c8c95e6d27688669d9889616a12e264f2d9d963fb85d3501d571094a8f41a9f95ea54ffe621a160af8fda26f41
-
C:\Windows\tasksche.exeMD5
72a0273e5bdad2089ab90020265fcbce
SHA14a64856c9b86cc9f74fc6e74524d3cb09c3668a4
SHA25645dc98a814d1bfd4ba7790b607da53678df7c99e3e1747f7ad4f56899e3805e4
SHA512e02a324565dee584ba64e47936c5ab6a70d0c00e69e9767bf82d8c8195771a8270699f72ad0d64a490d22b0be32b54ce04c3df973baa8e8b65434781e848eb02
-
memory/184-115-0x0000000000000000-mapping.dmp
-
memory/3700-114-0x0000000000000000-mapping.dmp