Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll
Resource
win10v2004-20220414-en
General
-
Target
46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll
-
Size
5.0MB
-
MD5
621bfac4cd27269134254c88cf1c7013
-
SHA1
4aba70305bf2f5cfefc9de70fff6ea98b25b1b29
-
SHA256
46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df
-
SHA512
c7cafd9a7bf33ce974590134d3bdb2a67cad7bfc864307495e87606e7fd08f3abe2019c0e65ddcdf45f65ce46971dfb0c9ac696c09fa3f344c7900ef6fdb2002
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3159) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4184 mssecsvc.exe 2552 mssecsvc.exe 1948 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2444 wrote to memory of 3304 2444 rundll32.exe rundll32.exe PID 2444 wrote to memory of 3304 2444 rundll32.exe rundll32.exe PID 2444 wrote to memory of 3304 2444 rundll32.exe rundll32.exe PID 3304 wrote to memory of 4184 3304 rundll32.exe mssecsvc.exe PID 3304 wrote to memory of 4184 3304 rundll32.exe mssecsvc.exe PID 3304 wrote to memory of 4184 3304 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD512a2af8a31c89aa0db17e737acd67e91
SHA16f8078f618e8e240188d04453613eefef10a2416
SHA2564abed8f38696446653350b0231f135be6c6acd6e57d6e9b15975f79ce1b79dcf
SHA512857a07b14ce0163e3b74fca885e8524742f753abb4bd249f1998db2ef72fe1bba9231051d87449e90d7cad02db0b6f9cb3a2083c3f66396af76fdff13e8f4db2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD512a2af8a31c89aa0db17e737acd67e91
SHA16f8078f618e8e240188d04453613eefef10a2416
SHA2564abed8f38696446653350b0231f135be6c6acd6e57d6e9b15975f79ce1b79dcf
SHA512857a07b14ce0163e3b74fca885e8524742f753abb4bd249f1998db2ef72fe1bba9231051d87449e90d7cad02db0b6f9cb3a2083c3f66396af76fdff13e8f4db2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD512a2af8a31c89aa0db17e737acd67e91
SHA16f8078f618e8e240188d04453613eefef10a2416
SHA2564abed8f38696446653350b0231f135be6c6acd6e57d6e9b15975f79ce1b79dcf
SHA512857a07b14ce0163e3b74fca885e8524742f753abb4bd249f1998db2ef72fe1bba9231051d87449e90d7cad02db0b6f9cb3a2083c3f66396af76fdff13e8f4db2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50cd18d69348c5b9996ee1305ebe9b733
SHA188d9ecccb28fa270e8fa066ff3a78350a5c795ce
SHA25680432c03277cb1a56b9855adf12de0b13ff5a08bce5e316fd0d38f93a1c23019
SHA51287119a6ad0a268ee038060753670e6789fb36418b3a57c6328a397f81002b992bc9be6d0befeedfb7dda1d639780f181c0eae33666f3b2ef539915a8090a1d02
-
memory/3304-130-0x0000000000000000-mapping.dmp
-
memory/4184-131-0x0000000000000000-mapping.dmp