Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 21:16
Static task
static1
Behavioral task
behavioral1
Sample
43f4cb1e61aa8d6a587263e2c81107ebf2fb5ef6ca19311dd7447b74b85bb5af.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
43f4cb1e61aa8d6a587263e2c81107ebf2fb5ef6ca19311dd7447b74b85bb5af.dll
Resource
win10v2004-20220414-en
General
-
Target
43f4cb1e61aa8d6a587263e2c81107ebf2fb5ef6ca19311dd7447b74b85bb5af.dll
-
Size
5.0MB
-
MD5
fc7dab164812e35752c29178fde872db
-
SHA1
61d950f2cde956960cf07e115f6428edda32d633
-
SHA256
43f4cb1e61aa8d6a587263e2c81107ebf2fb5ef6ca19311dd7447b74b85bb5af
-
SHA512
986558dc6d4a28aaaad82e53df2acf09db8e3c8a939e04de465aaa18b2c212595ba3e75f60ce9c7b6d879b8d81707f414d385037fb21146d4223cb3645288b1f
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2728) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 1984 mssecsvr.exe 3168 mssecsvr.exe 4212 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exemssecsvr.exetasksche.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_240586187 tasksche.exe File created C:\Windows\eee.exe tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvr.exedescription pid process target process PID 4956 wrote to memory of 4564 4956 rundll32.exe rundll32.exe PID 4956 wrote to memory of 4564 4956 rundll32.exe rundll32.exe PID 4956 wrote to memory of 4564 4956 rundll32.exe rundll32.exe PID 4564 wrote to memory of 1984 4564 rundll32.exe mssecsvr.exe PID 4564 wrote to memory of 1984 4564 rundll32.exe mssecsvr.exe PID 4564 wrote to memory of 1984 4564 rundll32.exe mssecsvr.exe PID 1984 wrote to memory of 4212 1984 mssecsvr.exe tasksche.exe PID 1984 wrote to memory of 4212 1984 mssecsvr.exe tasksche.exe PID 1984 wrote to memory of 4212 1984 mssecsvr.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43f4cb1e61aa8d6a587263e2c81107ebf2fb5ef6ca19311dd7447b74b85bb5af.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43f4cb1e61aa8d6a587263e2c81107ebf2fb5ef6ca19311dd7447b74b85bb5af.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD509fa846303dc895c0688ecc456d9e667
SHA12c7527d8f8573dc394b004085d5255b5437847b7
SHA256ec6757162500e2dcd4dbd9adc59aee10c25da5eaa3d4e65309bc78f8ebd38ca9
SHA5127707eec8ac96c864365b2df7656549ee83685006fcefd2038564ad7d859fe552041aa7c61af1c9098b2257b2b158f8d511c6fe9c8814636df86d3e3268404ce5
-
C:\WINDOWS\tasksche.exeFilesize
2.0MB
MD5d2a7aaa23e34fd8eb852212a212516df
SHA1ee6e2e6cb957ac9938e270b5866516bfe2254790
SHA2568d8849679e249720dc13b93f05d7500d653eddef7bb45df803cfabb80b67da50
SHA51259d815a2db3d14bcd416f18969b6461e960bd5c41b7c15a5c1542ce98234a229e344343b4c732c2d0da6d1358cc109d23aa7b4225367132b327360ea2b125558
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD509fa846303dc895c0688ecc456d9e667
SHA12c7527d8f8573dc394b004085d5255b5437847b7
SHA256ec6757162500e2dcd4dbd9adc59aee10c25da5eaa3d4e65309bc78f8ebd38ca9
SHA5127707eec8ac96c864365b2df7656549ee83685006fcefd2038564ad7d859fe552041aa7c61af1c9098b2257b2b158f8d511c6fe9c8814636df86d3e3268404ce5
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD509fa846303dc895c0688ecc456d9e667
SHA12c7527d8f8573dc394b004085d5255b5437847b7
SHA256ec6757162500e2dcd4dbd9adc59aee10c25da5eaa3d4e65309bc78f8ebd38ca9
SHA5127707eec8ac96c864365b2df7656549ee83685006fcefd2038564ad7d859fe552041aa7c61af1c9098b2257b2b158f8d511c6fe9c8814636df86d3e3268404ce5
-
C:\Windows\tasksche.exeFilesize
2.0MB
MD5d2a7aaa23e34fd8eb852212a212516df
SHA1ee6e2e6cb957ac9938e270b5866516bfe2254790
SHA2568d8849679e249720dc13b93f05d7500d653eddef7bb45df803cfabb80b67da50
SHA51259d815a2db3d14bcd416f18969b6461e960bd5c41b7c15a5c1542ce98234a229e344343b4c732c2d0da6d1358cc109d23aa7b4225367132b327360ea2b125558
-
memory/1984-131-0x0000000000000000-mapping.dmp
-
memory/4212-135-0x0000000000000000-mapping.dmp
-
memory/4564-130-0x0000000000000000-mapping.dmp