Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-06-2022 17:25
Static task
static1
Behavioral task
behavioral1
Sample
mssecsvc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
mssecsvc.exe
Resource
win10v2004-20220414-en
General
-
Target
mssecsvc.exe
-
Size
3.6MB
-
MD5
e8089341ee0442a2ecf82e4b70829143
-
SHA1
cec9a0b3c2914b49bf0b5dbbd3b1907cb8a6b578
-
SHA256
55bc52ead4c668b4dad978bebd80821a68eccd36b3927072a5d113cd5d79a27a
-
SHA512
738f731a3e118245c092a99e6822bb6e3f2294bcf4ec28ff4bbf43a98a0567d8d8d7b9ffff1bb5f7a9162335427c2e682a5ad48c9f9413818cd3baf81c6f0862
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3320) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1580 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe"C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe"1⤵
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\mssecsvc.exeC:\Users\Admin\AppData\Local\Temp\mssecsvc.exe -m security1⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57bffd6dfd8e5c5fe55577df5d87559e5
SHA13536b3d1fa74db8619e305ff4bc772ea82d53c0f
SHA256c5d0817617551bf5bae966e0c95ad66a1f536633b44b0eeb09ae3ee33ac67980
SHA512af153f93af0a80b2ab351eced1063d164f9c43ad5f604ddae41b738a03bf1e12b723c312905165725894b9e1d4d38841b48123d995371eaab33fd9574047e77e