Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15-05-2021 12:28
Static task
static1
Behavioral task
behavioral1
Sample
e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c.dll
Resource
win10v20210410
General
-
Target
e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c.dll
-
Size
5.0MB
-
MD5
6a75c79078d884b91588891f2e6e8447
-
SHA1
c3a43a53c49c2a99ccedf369756820a745062d2d
-
SHA256
e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c
-
SHA512
8a46873cd8c1a0c5fa6bdd0147e2ef01e0fd8926a23cc86ce6fb7999175c5e88016502eb5f7262a491a2d2d8be3a8d2196feb06cc20f191bd2b1e8194e81b93a
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2488 mssecsvc.exe 3540 mssecsvc.exe 2984 tasksche.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2016 wrote to memory of 964 2016 rundll32.exe rundll32.exe PID 2016 wrote to memory of 964 2016 rundll32.exe rundll32.exe PID 2016 wrote to memory of 964 2016 rundll32.exe rundll32.exe PID 964 wrote to memory of 2488 964 rundll32.exe mssecsvc.exe PID 964 wrote to memory of 2488 964 rundll32.exe mssecsvc.exe PID 964 wrote to memory of 2488 964 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e0f23e08c81f3332920a10c528421335dc864ab358150d26a9455de48dc9b63c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
b3fb79066e2c78886e881eab72508ea2
SHA16255f9688abc86f1f9791ecf1e5364444947316d
SHA256d02107f99381bc9f1a339ed2a5febda059621d404ff97705466969a29da04a75
SHA512ba1f57d9a07942db332466c3b8693c8c7eef5e0876b1dd2c89b53acf158475f12c478e3c11067f7d9b90f8d76bd315bfe33b1efe41b37b573340937fc1a0c468
-
C:\Windows\mssecsvc.exeMD5
b3fb79066e2c78886e881eab72508ea2
SHA16255f9688abc86f1f9791ecf1e5364444947316d
SHA256d02107f99381bc9f1a339ed2a5febda059621d404ff97705466969a29da04a75
SHA512ba1f57d9a07942db332466c3b8693c8c7eef5e0876b1dd2c89b53acf158475f12c478e3c11067f7d9b90f8d76bd315bfe33b1efe41b37b573340937fc1a0c468
-
C:\Windows\mssecsvc.exeMD5
b3fb79066e2c78886e881eab72508ea2
SHA16255f9688abc86f1f9791ecf1e5364444947316d
SHA256d02107f99381bc9f1a339ed2a5febda059621d404ff97705466969a29da04a75
SHA512ba1f57d9a07942db332466c3b8693c8c7eef5e0876b1dd2c89b53acf158475f12c478e3c11067f7d9b90f8d76bd315bfe33b1efe41b37b573340937fc1a0c468
-
C:\Windows\tasksche.exeMD5
1e7f58490de1b17256e518c1efdd3113
SHA124a6f9e5768bbe582ca6b52a5723c3bb7d840be9
SHA256c68b846ca3052caa2a6a714873cbf38bcaecf057628d0207df064476d53e5e33
SHA512336ff3f9ab827d278f4ffdcf8c985c0ff16f73e91f863605b058131fa3400ed65ea126f80776ce7a2d26f4483d5a5b53e315c68bfb862a5d0f501d04b330fd97
-
memory/964-114-0x0000000000000000-mapping.dmp
-
memory/2488-115-0x0000000000000000-mapping.dmp