Analysis
-
max time kernel
147s -
max time network
197s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 05:48
Static task
static1
Behavioral task
behavioral1
Sample
74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll
Resource
win10v2004-20220414-en
General
-
Target
74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll
-
Size
5.0MB
-
MD5
da480470e229f27bb2632ade91b37300
-
SHA1
7da6b9048707adf18c997bcaec32d6bebc5580fb
-
SHA256
74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707
-
SHA512
a39fba8d3b45345ed54dda14acecdbe815af7261eeabb7bd53ec321d31c0d1ad7a2d0e6e67c7596fbad9bc921c65f2635ec1dfb00805768124a2b17dd7c22d2d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4112 mssecsvc.exe 2260 mssecsvc.exe 444 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3408 wrote to memory of 2420 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 2420 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 2420 3408 rundll32.exe rundll32.exe PID 2420 wrote to memory of 4112 2420 rundll32.exe mssecsvc.exe PID 2420 wrote to memory of 4112 2420 rundll32.exe mssecsvc.exe PID 2420 wrote to memory of 4112 2420 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5883c9282416c4b2cf418fbde83502b52
SHA13eefd8dc469a01c992241bd879202a7e9841b598
SHA256fe2c8534a46d7fc3177c87912e725f05e09dc7739933c412d80bdde1f74dcdda
SHA512081abae1ddea49b8aaac6f3b79387b297828a9c7d111672a96d840e2dd80f35d3d2625e0a8cdea25118befcc1d2e11638a509620f3cb1b4782ce8593a0c58983
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5883c9282416c4b2cf418fbde83502b52
SHA13eefd8dc469a01c992241bd879202a7e9841b598
SHA256fe2c8534a46d7fc3177c87912e725f05e09dc7739933c412d80bdde1f74dcdda
SHA512081abae1ddea49b8aaac6f3b79387b297828a9c7d111672a96d840e2dd80f35d3d2625e0a8cdea25118befcc1d2e11638a509620f3cb1b4782ce8593a0c58983
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5883c9282416c4b2cf418fbde83502b52
SHA13eefd8dc469a01c992241bd879202a7e9841b598
SHA256fe2c8534a46d7fc3177c87912e725f05e09dc7739933c412d80bdde1f74dcdda
SHA512081abae1ddea49b8aaac6f3b79387b297828a9c7d111672a96d840e2dd80f35d3d2625e0a8cdea25118befcc1d2e11638a509620f3cb1b4782ce8593a0c58983
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5913198f3e8dd9036ce5001f49b670fab
SHA1f3db77750604a3c586544763630354e71825b736
SHA25684101afa0756983f0274efab7890f377b22356281bdd236a4657844d958effb2
SHA512098818ea840a28f33ff60af0f0fabe907cf5052c935192c7661ffdcbe06c015d6843c55fa9d5b02d7cdde6da447c9ec0018f7339ddaee494298bf61618000352
-
memory/2420-130-0x0000000000000000-mapping.dmp
-
memory/4112-131-0x0000000000000000-mapping.dmp