Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll
Resource
win10v2004-20220414-en
General
-
Target
41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll
-
Size
5.0MB
-
MD5
ad46e85c3890145837f40e4f26720a87
-
SHA1
6e349a578fcbd339f54f718caf9371a887c5665f
-
SHA256
41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5
-
SHA512
dc7146efa798f3b3194b30c49bfa82a47f09f4f961afacebdff6065c3fbd89c67f251aabf18da29b718c344a9b02727493353ea8347e0f4dd164315690dbbed4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4584 mssecsvc.exe 3144 mssecsvc.exe 4304 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4728 wrote to memory of 2328 4728 rundll32.exe rundll32.exe PID 4728 wrote to memory of 2328 4728 rundll32.exe rundll32.exe PID 4728 wrote to memory of 2328 4728 rundll32.exe rundll32.exe PID 2328 wrote to memory of 4584 2328 rundll32.exe mssecsvc.exe PID 2328 wrote to memory of 4584 2328 rundll32.exe mssecsvc.exe PID 2328 wrote to memory of 4584 2328 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5134bf392d1f94f6769ddd428008d9649
SHA1de91f6fffce478eaa2aafccf1781439968965447
SHA256bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b
SHA5127555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5134bf392d1f94f6769ddd428008d9649
SHA1de91f6fffce478eaa2aafccf1781439968965447
SHA256bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b
SHA5127555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5134bf392d1f94f6769ddd428008d9649
SHA1de91f6fffce478eaa2aafccf1781439968965447
SHA256bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b
SHA5127555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5302259d656616b116cf96d64964a471a
SHA1a74de128df0e7e243e9d8b474e155675e13ba4b0
SHA256332b33d2ae5b777ff16b03de5d5b345abb9630fe0a27b85277a79710aa010c0e
SHA51200b0e5a7cf50d6759ecc406d626fa0e0ecb499125afcc2785b91de0b967a19f1ae677587e9106f59f5249acdda2acf87643da6ac45e7a8b0212b28d1edfc47d6
-
memory/2328-130-0x0000000000000000-mapping.dmp
-
memory/4584-131-0x0000000000000000-mapping.dmp