Analysis
-
max time kernel
157s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 16:15
Static task
static1
Behavioral task
behavioral1
Sample
408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac.dll
Resource
win10v2004-20220414-en
General
-
Target
408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac.dll
-
Size
5.0MB
-
MD5
0e3e5e700886a192d323c1012c6c1b2b
-
SHA1
f7f6317e536229c740c82428c1f9bbe0ef557586
-
SHA256
408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac
-
SHA512
89b9ee348fe70ce34a74e67365c63c8c4f4bd029e1f3738add65f1e5edb0b9ca4c5ddda56b17c744ce155a046a6653e44184a5fdbf23f2c131e0651d7b8d650f
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (2511) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 796 mssecsvc.exe 2228 mssecsvc.exe 3164 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1496 wrote to memory of 3468 1496 rundll32.exe rundll32.exe PID 1496 wrote to memory of 3468 1496 rundll32.exe rundll32.exe PID 1496 wrote to memory of 3468 1496 rundll32.exe rundll32.exe PID 3468 wrote to memory of 796 3468 rundll32.exe mssecsvc.exe PID 3468 wrote to memory of 796 3468 rundll32.exe mssecsvc.exe PID 3468 wrote to memory of 796 3468 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\408d55f5079c3c771c5e5dd310332cb9ac85cfec02fa9469538d4fb83e51efac.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5b44ead507982e4cf2d61df6f43d749f7
SHA12d63f7b5ed64048efd6f52f6ba4a04bc5ffd1aba
SHA256e2e8d453dd30923f1e9a7be288732a4796164dade8e6f8b23800672380b024a7
SHA51222f544d85aab1349f80f998e4554c33fa3c97d49afaa1fa67ddb6ec77b1a1ef270deacf1a672dae409df61ee82b873517dec6acadca323c478928a013a81dc41
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5b44ead507982e4cf2d61df6f43d749f7
SHA12d63f7b5ed64048efd6f52f6ba4a04bc5ffd1aba
SHA256e2e8d453dd30923f1e9a7be288732a4796164dade8e6f8b23800672380b024a7
SHA51222f544d85aab1349f80f998e4554c33fa3c97d49afaa1fa67ddb6ec77b1a1ef270deacf1a672dae409df61ee82b873517dec6acadca323c478928a013a81dc41
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5b44ead507982e4cf2d61df6f43d749f7
SHA12d63f7b5ed64048efd6f52f6ba4a04bc5ffd1aba
SHA256e2e8d453dd30923f1e9a7be288732a4796164dade8e6f8b23800672380b024a7
SHA51222f544d85aab1349f80f998e4554c33fa3c97d49afaa1fa67ddb6ec77b1a1ef270deacf1a672dae409df61ee82b873517dec6acadca323c478928a013a81dc41
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51fd3d102d83758e8317df2380821e807
SHA13709a9b48aee0d6039b4b3581be33f48d4919b79
SHA25601b628fa60560c0cb4a332818cb380a65d0616d19976c084e0c3eaa433288b88
SHA512db0ee5b13e524f2182845aa94b8b1121749e87e48e75e5ba8fa26cae024216913d3a5904fb3544dfeefa49ecf76af5cf1324c410e6366a7197594e8e9e26025f
-
memory/796-131-0x0000000000000000-mapping.dmp
-
memory/3468-130-0x0000000000000000-mapping.dmp