Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 00:13
Static task
static1
Behavioral task
behavioral1
Sample
494d19f02baf2f2a9b6eb3de088c8911b8a11fac6c960850110313b46d3bfe96.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
494d19f02baf2f2a9b6eb3de088c8911b8a11fac6c960850110313b46d3bfe96.dll
Resource
win10v2004-20220414-en
General
-
Target
494d19f02baf2f2a9b6eb3de088c8911b8a11fac6c960850110313b46d3bfe96.dll
-
Size
5.0MB
-
MD5
87dc62e9d0c0e82a6f495204aa970a47
-
SHA1
9aad87c88e51124e25764d3bb5432262ee059a8a
-
SHA256
494d19f02baf2f2a9b6eb3de088c8911b8a11fac6c960850110313b46d3bfe96
-
SHA512
d47f2b03c4641825bf87bf91e02a9ff72b2a4b8777261d69291908085d92da57fd06768221093fa7f34d217a95088e4caac383907fe289698a80ca41771d6337
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3325) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4196 mssecsvc.exe 4340 mssecsvc.exe 1992 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2796 wrote to memory of 4344 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 4344 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 4344 2796 rundll32.exe rundll32.exe PID 4344 wrote to memory of 4196 4344 rundll32.exe mssecsvc.exe PID 4344 wrote to memory of 4196 4344 rundll32.exe mssecsvc.exe PID 4344 wrote to memory of 4196 4344 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\494d19f02baf2f2a9b6eb3de088c8911b8a11fac6c960850110313b46d3bfe96.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\494d19f02baf2f2a9b6eb3de088c8911b8a11fac6c960850110313b46d3bfe96.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5cc3a70ecc0e296a07e7f38fe72665c25
SHA1e0482f30e2c295f675721aaf1121059ef2db5da2
SHA256d3d0109630f864fb3cc86763061a27f388bb245814cedc62cdc086eb7916d50d
SHA512ec7622160b9e8ed218f305181fe19567882b3b02a6ec5ed6735f8ffb78832524833507f7ca95caeb236c02348d4e329f0c68d6e036cdd5ffc818be73f58603d7
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cc3a70ecc0e296a07e7f38fe72665c25
SHA1e0482f30e2c295f675721aaf1121059ef2db5da2
SHA256d3d0109630f864fb3cc86763061a27f388bb245814cedc62cdc086eb7916d50d
SHA512ec7622160b9e8ed218f305181fe19567882b3b02a6ec5ed6735f8ffb78832524833507f7ca95caeb236c02348d4e329f0c68d6e036cdd5ffc818be73f58603d7
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cc3a70ecc0e296a07e7f38fe72665c25
SHA1e0482f30e2c295f675721aaf1121059ef2db5da2
SHA256d3d0109630f864fb3cc86763061a27f388bb245814cedc62cdc086eb7916d50d
SHA512ec7622160b9e8ed218f305181fe19567882b3b02a6ec5ed6735f8ffb78832524833507f7ca95caeb236c02348d4e329f0c68d6e036cdd5ffc818be73f58603d7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50150f010140afdb31b7606baa110e0f8
SHA1a0997d2fdc309ab6d3c115fae736225123128992
SHA256b6e4c243f223148c33f102269ce48872584440bd3258bc435f9423f5e3b2c902
SHA51247220fd350dab3983f18c5dd624ca8042c39a946365f7b49b3dac29e0b65f9bb63d7569a69fda5990b8e7acc5411115aaddec9f4cfcd94759d8a199e1f3fd4d7
-
memory/4196-131-0x0000000000000000-mapping.dmp
-
memory/4344-130-0x0000000000000000-mapping.dmp