Resubmissions
03-07-2022 05:49
220703-gh9hnshccn 10Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 05:49
Static task
static1
Behavioral task
behavioral1
Sample
3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d.dll
Resource
win10v2004-20220414-en
General
-
Target
3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d.dll
-
Size
5.0MB
-
MD5
1bb736b97b5bcb4c5b3adf5c3c903fa3
-
SHA1
10f9c2033d3ff3618ca7253f7b68a09bbd681c4c
-
SHA256
3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d
-
SHA512
9036eb430ec907311b90f623aab08a17b27e2238c3a8745e5436837d57f34156ff81efa87abe8770e9a87444c62934f8979d66ef42c2b67c9d02c22f50c02285
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1868 mssecsvc.exe 1404 mssecsvc.exe 2348 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1252 wrote to memory of 4908 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 4908 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 4908 1252 rundll32.exe rundll32.exe PID 4908 wrote to memory of 1868 4908 rundll32.exe mssecsvc.exe PID 4908 wrote to memory of 1868 4908 rundll32.exe mssecsvc.exe PID 4908 wrote to memory of 1868 4908 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3ca20938c652880a62726152cf45b0fb46a7cf85da69c979d17176cdd1669c3d.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD593409fe4337b68f8912ba2e92c23c511
SHA12de3c7ada7dfffe146ebb57290c13e69344fcefc
SHA2562543b22312984298b9436bf5c16e211d11a8ad23872b9fe3ba5ed46c663c3ed7
SHA512fb3edd00b09178da6d8bfa2159f7d66fd3e3be85e22f22e96c7c8a84c77004dc46e12fc20c9af9bf112acaa4ae37d24385bc5fba01bb44c552dc9669f472ba6b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD593409fe4337b68f8912ba2e92c23c511
SHA12de3c7ada7dfffe146ebb57290c13e69344fcefc
SHA2562543b22312984298b9436bf5c16e211d11a8ad23872b9fe3ba5ed46c663c3ed7
SHA512fb3edd00b09178da6d8bfa2159f7d66fd3e3be85e22f22e96c7c8a84c77004dc46e12fc20c9af9bf112acaa4ae37d24385bc5fba01bb44c552dc9669f472ba6b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD593409fe4337b68f8912ba2e92c23c511
SHA12de3c7ada7dfffe146ebb57290c13e69344fcefc
SHA2562543b22312984298b9436bf5c16e211d11a8ad23872b9fe3ba5ed46c663c3ed7
SHA512fb3edd00b09178da6d8bfa2159f7d66fd3e3be85e22f22e96c7c8a84c77004dc46e12fc20c9af9bf112acaa4ae37d24385bc5fba01bb44c552dc9669f472ba6b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5837e206ce11179584ec7ef0a57a511ed
SHA1e43ed282d8906410bf3b4225b0bfcc1d20fae810
SHA256a03d52a8c7277c61ef65c1e7960b322be1a94d88de4dc3b6788b551e44ff17e9
SHA5123f9e02a8e412837b1dd4877d4920bc6029952f0efbc4d54007d617ec5b48dd88ccca6e552b791a1748a68584c2c1c4f7f78bd9fcf64947af788c4f52d25595a7
-
memory/1868-131-0x0000000000000000-mapping.dmp
-
memory/4908-130-0x0000000000000000-mapping.dmp