Analysis
-
max time kernel
156s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 00:43
Static task
static1
Behavioral task
behavioral1
Sample
42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll
Resource
win10v2004-20220414-en
General
-
Target
42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll
-
Size
5.0MB
-
MD5
3ce4cffc202ddafe9e2b2c8f570f4e16
-
SHA1
f331a320d11d62823847ed76228e2e706df6aa2c
-
SHA256
42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c
-
SHA512
24484046e1075e475d58aff29dbe62471bd62925d91209a961fee74007a869c4e5bd4484d38984f65bcff3b7a65adccb711a206a3b25ccd45b894c3065cb4e95
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (2070) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2260 mssecsvc.exe 1480 mssecsvc.exe 3672 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4052 wrote to memory of 4072 4052 rundll32.exe rundll32.exe PID 4052 wrote to memory of 4072 4052 rundll32.exe rundll32.exe PID 4052 wrote to memory of 4072 4052 rundll32.exe rundll32.exe PID 4072 wrote to memory of 2260 4072 rundll32.exe mssecsvc.exe PID 4072 wrote to memory of 2260 4072 rundll32.exe mssecsvc.exe PID 4072 wrote to memory of 2260 4072 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD531def06abbda1f1bb66478c529472968
SHA1415434f6d7cf11afa36380a7c4b9d810b8106ed7
SHA25661ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515
SHA512217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD531def06abbda1f1bb66478c529472968
SHA1415434f6d7cf11afa36380a7c4b9d810b8106ed7
SHA25661ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515
SHA512217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD531def06abbda1f1bb66478c529472968
SHA1415434f6d7cf11afa36380a7c4b9d810b8106ed7
SHA25661ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515
SHA512217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f2fc595e0263ee99769ec3805bb7768e
SHA121c3b65c906ff24a4759271537b8da01516d841d
SHA25685117a97158c171ef7de01771ffdc172df4c09689fa1d579513d27a4a861351f
SHA512512a12f68ae5c7e61961c38d6cfb33e2e796ef0afe29170c67764830d7200ae5fb675d83df96dfde1a28994331d81cb7b4b56f8f58fc923c0fc73168a03cf99c
-
memory/2260-131-0x0000000000000000-mapping.dmp
-
memory/4072-130-0x0000000000000000-mapping.dmp