Analysis
-
max time kernel
151s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 13:50
Static task
static1
Behavioral task
behavioral1
Sample
3df8f4f1133965ed8ebe123a8e5565e20d10313c7ca7b3834f530c5ba3f6187a.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3df8f4f1133965ed8ebe123a8e5565e20d10313c7ca7b3834f530c5ba3f6187a.dll
Resource
win10v2004-20220414-en
General
-
Target
3df8f4f1133965ed8ebe123a8e5565e20d10313c7ca7b3834f530c5ba3f6187a.dll
-
Size
5.0MB
-
MD5
740b034f58fcaea5e65b5da0c148a3aa
-
SHA1
1af775bb36845c3050e05ae9da4074430b8320d2
-
SHA256
3df8f4f1133965ed8ebe123a8e5565e20d10313c7ca7b3834f530c5ba3f6187a
-
SHA512
cc012c8cbdddae2c70617780b03f5f052745c502b195a083527833d82751328a04e7cf2b20f9d3ee13140dd381bb32dbbc82887b92551eba98b03351db70eccf
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3214) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 1776 mssecsvr.exe 2312 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1660 wrote to memory of 3568 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 3568 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 3568 1660 rundll32.exe rundll32.exe PID 3568 wrote to memory of 1776 3568 rundll32.exe mssecsvr.exe PID 3568 wrote to memory of 1776 3568 rundll32.exe mssecsvr.exe PID 3568 wrote to memory of 1776 3568 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3df8f4f1133965ed8ebe123a8e5565e20d10313c7ca7b3834f530c5ba3f6187a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3df8f4f1133965ed8ebe123a8e5565e20d10313c7ca7b3834f530c5ba3f6187a.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD511eda742933713419b83278d141fd077
SHA10efee3bfe3697f7ae2f7c847a1f727a0c024f6c4
SHA256facc04d26cad9081ed4ed0dbea9a60ec78b0083d430f069a5b65ff900e1ff237
SHA5122a9c20dcfdc4862664557b67f884dec1fa87f43035d5cc9a2290e6b5949b65bf0409dd54dae423a12d0c104b865b66d1e7ecb972e30ef85cf0f56db293a70f63
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD511eda742933713419b83278d141fd077
SHA10efee3bfe3697f7ae2f7c847a1f727a0c024f6c4
SHA256facc04d26cad9081ed4ed0dbea9a60ec78b0083d430f069a5b65ff900e1ff237
SHA5122a9c20dcfdc4862664557b67f884dec1fa87f43035d5cc9a2290e6b5949b65bf0409dd54dae423a12d0c104b865b66d1e7ecb972e30ef85cf0f56db293a70f63
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD511eda742933713419b83278d141fd077
SHA10efee3bfe3697f7ae2f7c847a1f727a0c024f6c4
SHA256facc04d26cad9081ed4ed0dbea9a60ec78b0083d430f069a5b65ff900e1ff237
SHA5122a9c20dcfdc4862664557b67f884dec1fa87f43035d5cc9a2290e6b5949b65bf0409dd54dae423a12d0c104b865b66d1e7ecb972e30ef85cf0f56db293a70f63
-
memory/1776-131-0x0000000000000000-mapping.dmp
-
memory/3568-130-0x0000000000000000-mapping.dmp