Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 23:35
Static task
static1
Behavioral task
behavioral1
Sample
e01c3d5341904df74c97c4381c59b48d.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
e01c3d5341904df74c97c4381c59b48d.dll
Resource
win10v2004-20220414-en
General
-
Target
e01c3d5341904df74c97c4381c59b48d.dll
-
Size
5.0MB
-
MD5
e01c3d5341904df74c97c4381c59b48d
-
SHA1
6f5d96ec6b0c757bf288f7d322a546bac131c465
-
SHA256
749eaa7de1b56feff6b790d65516822326f56ecff68bb7ce14ce410a4fe24646
-
SHA512
e5e3ae53fcd67f12def785e51944cb76e41ab3ea0b78baa1e54769abdd6e2d7aa0e42f7a5560291b409c96eed9dbd279393fca106ca170d1633081dc3db7a379
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3229) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 4704 mssecsvr.exe 1460 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2136 wrote to memory of 4544 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 4544 2136 rundll32.exe rundll32.exe PID 2136 wrote to memory of 4544 2136 rundll32.exe rundll32.exe PID 4544 wrote to memory of 4704 4544 rundll32.exe mssecsvr.exe PID 4544 wrote to memory of 4704 4544 rundll32.exe mssecsvr.exe PID 4544 wrote to memory of 4704 4544 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e01c3d5341904df74c97c4381c59b48d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e01c3d5341904df74c97c4381c59b48d.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
3.6MB
MD57b95b65f19ea524a91aa51c5e31b9fe7
SHA1238dcc422df18fa90787efd69ef2a35de53b8cfb
SHA2566a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24
SHA51234e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec
-
C:\Windows\mssecsvr.exeFilesize
3.6MB
MD57b95b65f19ea524a91aa51c5e31b9fe7
SHA1238dcc422df18fa90787efd69ef2a35de53b8cfb
SHA2566a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24
SHA51234e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec
-
C:\Windows\mssecsvr.exeFilesize
3.6MB
MD57b95b65f19ea524a91aa51c5e31b9fe7
SHA1238dcc422df18fa90787efd69ef2a35de53b8cfb
SHA2566a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24
SHA51234e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec
-
memory/4544-130-0x0000000000000000-mapping.dmp
-
memory/4704-131-0x0000000000000000-mapping.dmp