Analysis
-
max time kernel
170s -
max time network
190s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 17:56
Static task
static1
Behavioral task
behavioral1
Sample
3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26.dll
Resource
win10v2004-20220414-en
General
-
Target
3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26.dll
-
Size
5.0MB
-
MD5
8dadb8fd05dd1734501fc862a7135faa
-
SHA1
f2f6f467f7006025259fddd66b81386309ab0700
-
SHA256
3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26
-
SHA512
992a9806bfe2d715eb0b58dee589acdd7fa44a1a75ce794ef9c617d87443a6de9a5d3bfefacb7b965cbb15a730e254e261d0ac921c1d99143d105b688643783b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3050) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 5068 mssecsvr.exe 4700 mssecsvr.exe 388 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 4 IoCs
Processes:
tasksche.exerundll32.exemssecsvr.exedescription ioc process File created C:\Windows\__tmp_rar_sfx_access_check_240587562 tasksche.exe File created C:\Windows\eee.exe tasksche.exe File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvr.exedescription pid process target process PID 5040 wrote to memory of 4948 5040 rundll32.exe rundll32.exe PID 5040 wrote to memory of 4948 5040 rundll32.exe rundll32.exe PID 5040 wrote to memory of 4948 5040 rundll32.exe rundll32.exe PID 4948 wrote to memory of 5068 4948 rundll32.exe mssecsvr.exe PID 4948 wrote to memory of 5068 4948 rundll32.exe mssecsvr.exe PID 4948 wrote to memory of 5068 4948 rundll32.exe mssecsvr.exe PID 5068 wrote to memory of 388 5068 mssecsvr.exe tasksche.exe PID 5068 wrote to memory of 388 5068 mssecsvr.exe tasksche.exe PID 5068 wrote to memory of 388 5068 mssecsvr.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD558ff294624a691ed4d9b57e73a88a4cc
SHA1752c79566858a0ca0fb8f5f629aea6ef940647ee
SHA2562ca3eb47b146740b1cce064724a9fc140c53a3165a38a1025e2ebb4049d7673b
SHA51221eab38f93459e22fb7ffa210127cfac417650b8c57181f93268f3b42c2667044f4d42ecbc6ad6651b997057a563f7b008c3bf3598a606b973a6ac44c8caa5c9
-
C:\WINDOWS\tasksche.exeFilesize
2.0MB
MD51b2bd4c884938f2f612ad5bcfc6d8dee
SHA14b1aabcabdc588258e2053c0e94c840bfcbb8547
SHA256e68ce76eebc7677875e9241efe5ab3046d1f71e31a0af34204b6ff71e149884c
SHA512ba34ac388c277ed99ae3fe482e9fc5be39a1fa7f4048d1556feb31c6841ac211df16daa31a1e6e51d89aae83baf2d90909b806a4aeae45e12d7579a4bfe102e9
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD558ff294624a691ed4d9b57e73a88a4cc
SHA1752c79566858a0ca0fb8f5f629aea6ef940647ee
SHA2562ca3eb47b146740b1cce064724a9fc140c53a3165a38a1025e2ebb4049d7673b
SHA51221eab38f93459e22fb7ffa210127cfac417650b8c57181f93268f3b42c2667044f4d42ecbc6ad6651b997057a563f7b008c3bf3598a606b973a6ac44c8caa5c9
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD558ff294624a691ed4d9b57e73a88a4cc
SHA1752c79566858a0ca0fb8f5f629aea6ef940647ee
SHA2562ca3eb47b146740b1cce064724a9fc140c53a3165a38a1025e2ebb4049d7673b
SHA51221eab38f93459e22fb7ffa210127cfac417650b8c57181f93268f3b42c2667044f4d42ecbc6ad6651b997057a563f7b008c3bf3598a606b973a6ac44c8caa5c9
-
C:\Windows\tasksche.exeFilesize
2.0MB
MD51b2bd4c884938f2f612ad5bcfc6d8dee
SHA14b1aabcabdc588258e2053c0e94c840bfcbb8547
SHA256e68ce76eebc7677875e9241efe5ab3046d1f71e31a0af34204b6ff71e149884c
SHA512ba34ac388c277ed99ae3fe482e9fc5be39a1fa7f4048d1556feb31c6841ac211df16daa31a1e6e51d89aae83baf2d90909b806a4aeae45e12d7579a4bfe102e9
-
memory/388-135-0x0000000000000000-mapping.dmp
-
memory/4948-130-0x0000000000000000-mapping.dmp
-
memory/5068-131-0x0000000000000000-mapping.dmp