Analysis
-
max time kernel
153s -
max time network
194s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 01:55
Static task
static1
Behavioral task
behavioral1
Sample
48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll
Resource
win10v2004-20220414-en
General
-
Target
48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll
-
Size
5.0MB
-
MD5
1ced543091b9dc5fd59237f675d6dd90
-
SHA1
d464770ef157cef154d181573c81bd3cba357127
-
SHA256
48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281
-
SHA512
cc279ee918c59f0f12ab51b2a88ac2ee801be6adbacce368bc84b6b6dba781c0c0fa6d389a2cc420503ead178efb1336c2bcb40052049664a1c8486d807029d2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3592 mssecsvc.exe 4928 mssecsvc.exe 4480 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3320 wrote to memory of 64 3320 rundll32.exe rundll32.exe PID 3320 wrote to memory of 64 3320 rundll32.exe rundll32.exe PID 3320 wrote to memory of 64 3320 rundll32.exe rundll32.exe PID 64 wrote to memory of 3592 64 rundll32.exe mssecsvc.exe PID 64 wrote to memory of 3592 64 rundll32.exe mssecsvc.exe PID 64 wrote to memory of 3592 64 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD536e81fd6c5ea829ac56dd19c68b7ca0c
SHA194ec59960e278c1c34826a73a2244277721be3d3
SHA2569cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0
SHA512b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD536e81fd6c5ea829ac56dd19c68b7ca0c
SHA194ec59960e278c1c34826a73a2244277721be3d3
SHA2569cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0
SHA512b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD536e81fd6c5ea829ac56dd19c68b7ca0c
SHA194ec59960e278c1c34826a73a2244277721be3d3
SHA2569cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0
SHA512b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b0e9218be520b2f8391ab5c575bf98d0
SHA15909e58b6768cc219990f0ebe10782606656fb5f
SHA2560fb71a0d4f29cdaff0192e3c4c2cc5df9f0af23b205f3c911a482a06d8de3c68
SHA5124b5da5cc9f1162c373aad51473e20f062eabfc67077ed83ce02f65556932547c7a2614704b0c1069cd770831f746e5c8249ab52a8ef98bf722f18cd5313e8012
-
memory/64-130-0x0000000000000000-mapping.dmp
-
memory/3592-131-0x0000000000000000-mapping.dmp