Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 19:04
Static task
static1
Behavioral task
behavioral1
Sample
4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2.dll
Resource
win10v2004-20220414-en
General
-
Target
4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2.dll
-
Size
5.0MB
-
MD5
3193ed2ff9928faf1ce5979ff9445359
-
SHA1
cb133ba5940c887b6f326f548c9c35ff30b4598d
-
SHA256
4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2
-
SHA512
c67f4e5349c8d85deeb219bfd93a75609f23cbd117417f6cc02435a348d8b8c057d043d3d2ceb8cce5742f2a6beeab419d4a03a4194a78059fbaa8599e7da487
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3266) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1364 mssecsvc.exe 816 mssecsvc.exe 1784 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4932 wrote to memory of 2064 4932 rundll32.exe rundll32.exe PID 4932 wrote to memory of 2064 4932 rundll32.exe rundll32.exe PID 4932 wrote to memory of 2064 4932 rundll32.exe rundll32.exe PID 2064 wrote to memory of 1364 2064 rundll32.exe mssecsvc.exe PID 2064 wrote to memory of 1364 2064 rundll32.exe mssecsvc.exe PID 2064 wrote to memory of 1364 2064 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a50e6c13250b703735e6fe3cd6108471
SHA1ba08a450d2e3deea3507fe628e7c0eed61f513c8
SHA25653754080355bdd6e8e6e0a2c0fd4e338e9cebc1b14639e12f91803ff26796a3b
SHA512e6c74ac90b7fc32e523a1e1d09762ce3aeb5dd43c421299e7fe596562032c2bfbd8135ad6609c44d7878447a82b5bd0842133ede209b93ac6c6fc0495929bb99
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a50e6c13250b703735e6fe3cd6108471
SHA1ba08a450d2e3deea3507fe628e7c0eed61f513c8
SHA25653754080355bdd6e8e6e0a2c0fd4e338e9cebc1b14639e12f91803ff26796a3b
SHA512e6c74ac90b7fc32e523a1e1d09762ce3aeb5dd43c421299e7fe596562032c2bfbd8135ad6609c44d7878447a82b5bd0842133ede209b93ac6c6fc0495929bb99
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a50e6c13250b703735e6fe3cd6108471
SHA1ba08a450d2e3deea3507fe628e7c0eed61f513c8
SHA25653754080355bdd6e8e6e0a2c0fd4e338e9cebc1b14639e12f91803ff26796a3b
SHA512e6c74ac90b7fc32e523a1e1d09762ce3aeb5dd43c421299e7fe596562032c2bfbd8135ad6609c44d7878447a82b5bd0842133ede209b93ac6c6fc0495929bb99
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7
-
memory/1364-131-0x0000000000000000-mapping.dmp
-
memory/2064-130-0x0000000000000000-mapping.dmp