Analysis
-
max time kernel
154s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 16:59
Static task
static1
Behavioral task
behavioral1
Sample
28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe.dll
Resource
win10v2004-20220414-en
General
-
Target
28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe.dll
-
Size
5.0MB
-
MD5
944fee9b45c08401b1eec8dc1cc06d0c
-
SHA1
1cc8b3a27c4f083ebd4787e3fbb8ea3c90d5fb00
-
SHA256
28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe
-
SHA512
c31a988b8f74d1ef554329451b45961c698e767f7f6796e1cd9ccb74c420411f9023e5b842cdd272f5da4ce0a7eacdbb1ac97a51cb681e3925a86e9f4d0111d7
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3283) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 716 mssecsvc.exe 4432 mssecsvc.exe 3360 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5032 wrote to memory of 1136 5032 rundll32.exe rundll32.exe PID 5032 wrote to memory of 1136 5032 rundll32.exe rundll32.exe PID 5032 wrote to memory of 1136 5032 rundll32.exe rundll32.exe PID 1136 wrote to memory of 716 1136 rundll32.exe mssecsvc.exe PID 1136 wrote to memory of 716 1136 rundll32.exe mssecsvc.exe PID 1136 wrote to memory of 716 1136 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28a084d5a9f7a0d1c1f336f3f75581e6a9cae4dc0a34e44f6fcc79c3dda4dfbe.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5491a5e67c6ebfe3a20c7d63a490c1574
SHA10807884126c2d7e7c51e10c2121ecb3e8d6c2e45
SHA256fd48df24ee4c54357bcc70ff5c1b46a32b60e1c1a2456d6c22c62558454329b8
SHA5127a80f2ac87d094b43596f539de9f0884a465db6c49e7d31b810f82106c0d5a479a79b9356e9e17744b70c39e7d438cf0e787f680a641653ca24ab93d679d4298
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5491a5e67c6ebfe3a20c7d63a490c1574
SHA10807884126c2d7e7c51e10c2121ecb3e8d6c2e45
SHA256fd48df24ee4c54357bcc70ff5c1b46a32b60e1c1a2456d6c22c62558454329b8
SHA5127a80f2ac87d094b43596f539de9f0884a465db6c49e7d31b810f82106c0d5a479a79b9356e9e17744b70c39e7d438cf0e787f680a641653ca24ab93d679d4298
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5491a5e67c6ebfe3a20c7d63a490c1574
SHA10807884126c2d7e7c51e10c2121ecb3e8d6c2e45
SHA256fd48df24ee4c54357bcc70ff5c1b46a32b60e1c1a2456d6c22c62558454329b8
SHA5127a80f2ac87d094b43596f539de9f0884a465db6c49e7d31b810f82106c0d5a479a79b9356e9e17744b70c39e7d438cf0e787f680a641653ca24ab93d679d4298
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a17cf69bff08691c887dead938d41490
SHA1a1d549fdacc6d264543a40d5020a9944f7fc193a
SHA2566677f606aae04cfbf25f6a10700f7bd334df03299b2153d040ea119010c56057
SHA51207c1e2be038efbdf6bd757c45de44a7ed7985875f69317390a7040e5678799fbc0ca8985a034d4f48c156c81e4368cd8f0b0e84513fdfd43e1c7b9c0012a70d6
-
memory/716-131-0x0000000000000000-mapping.dmp
-
memory/1136-130-0x0000000000000000-mapping.dmp