Analysis
-
max time kernel
150s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
07-06-2021 21:01
Static task
static1
Behavioral task
behavioral1
Sample
9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10.dll
Resource
win10v20210410
General
-
Target
9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10.dll
-
Size
5.0MB
-
MD5
ff38612983c71c9a02e1308157a838cd
-
SHA1
ad9df85427e1b45fb376d25839107f42a7df738f
-
SHA256
9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10
-
SHA512
54afd9c7d142470ff0893d2cf1b72b4db5cec28c221a0e19001701a9e42a5c7887486995c1cc72fb72e149c95950368862c11abb247e9ec0e1b9dd2cd1d81696
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 812 mssecsvc.exe 2196 mssecsvc.exe 3600 tasksche.exe -
Drops file in System32 directory 5 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1844 wrote to memory of 348 1844 rundll32.exe rundll32.exe PID 1844 wrote to memory of 348 1844 rundll32.exe rundll32.exe PID 1844 wrote to memory of 348 1844 rundll32.exe rundll32.exe PID 348 wrote to memory of 812 348 rundll32.exe mssecsvc.exe PID 348 wrote to memory of 812 348 rundll32.exe mssecsvc.exe PID 348 wrote to memory of 812 348 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9d8f4e053f34a44ec64e60d3aaafdee63c5186e214f2b94b7cd2252c9d587c10.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
8291bc470e0700a4eb0eb4c4cce019ed
SHA116f8eb03aaac75e998eb58e2db44d44c3eadb871
SHA256636af8714b39aef1072bac5f69c7c409960a1f4ee7ea5613b451ef14da2d9c28
SHA512ed364184bc8a5408b1400920624224bf5bb5803419d5b52836ade6c05a286d0703432fffe83b85ac9c2805e0c922f4630dcff616c718dd1c2e8bc5ba6bcdbc4d
-
C:\Windows\mssecsvc.exeMD5
8291bc470e0700a4eb0eb4c4cce019ed
SHA116f8eb03aaac75e998eb58e2db44d44c3eadb871
SHA256636af8714b39aef1072bac5f69c7c409960a1f4ee7ea5613b451ef14da2d9c28
SHA512ed364184bc8a5408b1400920624224bf5bb5803419d5b52836ade6c05a286d0703432fffe83b85ac9c2805e0c922f4630dcff616c718dd1c2e8bc5ba6bcdbc4d
-
C:\Windows\mssecsvc.exeMD5
8291bc470e0700a4eb0eb4c4cce019ed
SHA116f8eb03aaac75e998eb58e2db44d44c3eadb871
SHA256636af8714b39aef1072bac5f69c7c409960a1f4ee7ea5613b451ef14da2d9c28
SHA512ed364184bc8a5408b1400920624224bf5bb5803419d5b52836ade6c05a286d0703432fffe83b85ac9c2805e0c922f4630dcff616c718dd1c2e8bc5ba6bcdbc4d
-
C:\Windows\tasksche.exeMD5
3ba6ad701041de8c58661207f6872d85
SHA1e500f67e1e3617406152ce49252d59a3186833ec
SHA256099f733adc72e915baa9139ffae74ed89c486c02cdc56251e7bab3fcd52f53ab
SHA512b47882cfe5e9103510ef532b020d909c038cb1fc3eefa306bb910a5784f46bc123262b0338806c831a16f92fe26eacfedadecbad16ca21fd5e82fbe10c9bb305
-
memory/348-114-0x0000000000000000-mapping.dmp
-
memory/812-115-0x0000000000000000-mapping.dmp