Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-06-2022 19:56
Static task
static1
Behavioral task
behavioral1
Sample
34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll
Resource
win10v2004-20220414-en
General
-
Target
34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll
-
Size
5.0MB
-
MD5
ab02e31aa2a8ea6eecc684bfa2e3c185
-
SHA1
6665249de09b0900743d45e141c0ec186d2e00b2
-
SHA256
34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12
-
SHA512
b3b8f69b5ee03890c41a4619d50dc3bcb569b5921395b226f52f790a53b553006e9ac9be417667a31664443bf7bf6cb0928c63873ffab4267268938afa6923b0
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (2246) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 528 mssecsvc.exe 804 mssecsvc.exe 3724 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4684 wrote to memory of 4204 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 4204 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 4204 4684 rundll32.exe rundll32.exe PID 4204 wrote to memory of 528 4204 rundll32.exe mssecsvc.exe PID 4204 wrote to memory of 528 4204 rundll32.exe mssecsvc.exe PID 4204 wrote to memory of 528 4204 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5944dcb3668f571b7156dd18f924438fc
SHA1aed293f799bcda119e84d176406d442f04f8433a
SHA25697d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825
SHA5122ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5944dcb3668f571b7156dd18f924438fc
SHA1aed293f799bcda119e84d176406d442f04f8433a
SHA25697d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825
SHA5122ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5944dcb3668f571b7156dd18f924438fc
SHA1aed293f799bcda119e84d176406d442f04f8433a
SHA25697d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825
SHA5122ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55914e52020bf8dcc1832e5864c85b531
SHA115fc8b4e98241605e9cadf84801d6e573d6495da
SHA25667952d1154d57ae8272db63f8f746c11763008332420737da6db50c81b018ec8
SHA51253a2a4f3f09c137cc348a1126e805a471965fd24a58df081fd79f6de10fcd2d4ba7637139664ff6c5df119762f602b531c5e7f0d74410bdcfd3cc23193d86ed3
-
memory/528-131-0x0000000000000000-mapping.dmp
-
memory/4204-130-0x0000000000000000-mapping.dmp