Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-07-2022 09:10
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry2.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
WannaCry2.dll
Resource
win10v2004-20220414-en
General
-
Target
WannaCry2.dll
-
Size
5.0MB
-
MD5
3e142c642b1d1e6a01ae319ccbe487a3
-
SHA1
5653bf6e1613bfab68d6d05111b312ed0dceb448
-
SHA256
6f282c0df25a61bef8bd83b317d7c9493b575717b691e30d63da8cb5ec898e7b
-
SHA512
e1215c551e96f2f6e3b5266ef845853fb11e3699ae554bbbec51a8e4c6c91763df1242290dc167b129e96aa33665edd5d3d350d59479c1060f1837052e811640
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 8 mssecsvc.exe 1508 mssecsvc.exe 3236 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1240 wrote to memory of 2160 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 2160 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 2160 1240 rundll32.exe rundll32.exe PID 2160 wrote to memory of 8 2160 rundll32.exe mssecsvc.exe PID 2160 wrote to memory of 8 2160 rundll32.exe mssecsvc.exe PID 2160 wrote to memory of 8 2160 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD57e8224b83706096a14573b5a1a411314
SHA189bf59ccdbde5de5d1eaeac797470afa6c19cfb6
SHA256d8ad2b8c468d3262291f2a86a453a2fef3dbd0600faf85b4df7a3978140ef4b3
SHA512895ac90515670a435482af2b3dd6d348c31443d4a1fef625c278936e3636875f7a315645d1b31670a938a4dbce34cb032f4acae7ab9f43910369d981ec510b2b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57e8224b83706096a14573b5a1a411314
SHA189bf59ccdbde5de5d1eaeac797470afa6c19cfb6
SHA256d8ad2b8c468d3262291f2a86a453a2fef3dbd0600faf85b4df7a3978140ef4b3
SHA512895ac90515670a435482af2b3dd6d348c31443d4a1fef625c278936e3636875f7a315645d1b31670a938a4dbce34cb032f4acae7ab9f43910369d981ec510b2b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57e8224b83706096a14573b5a1a411314
SHA189bf59ccdbde5de5d1eaeac797470afa6c19cfb6
SHA256d8ad2b8c468d3262291f2a86a453a2fef3dbd0600faf85b4df7a3978140ef4b3
SHA512895ac90515670a435482af2b3dd6d348c31443d4a1fef625c278936e3636875f7a315645d1b31670a938a4dbce34cb032f4acae7ab9f43910369d981ec510b2b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD566705a0978e9146d15b753dd2293c2ef
SHA13e132c60046917618e080ea8e0d477ae91fd4d73
SHA256547ed4d6e8392eebe30c2f755f529c1079bb17907d32a532261a1fe2dd1dc9c0
SHA5126b9cde50b901c297b4d783bf23c59202c7a45d94f6cc2545575a8f374f43673534883ce627edc990d7b1cd14c4130b1a400624df1bde923896a535da0cb82e16
-
memory/8-131-0x0000000000000000-mapping.dmp
-
memory/2160-130-0x0000000000000000-mapping.dmp