Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 23:37
Static task
static1
Behavioral task
behavioral1
Sample
21fb31606845c8fd8d82260bb0ea260f.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
21fb31606845c8fd8d82260bb0ea260f.dll
Resource
win10v2004-20220414-en
General
-
Target
21fb31606845c8fd8d82260bb0ea260f.dll
-
Size
5.0MB
-
MD5
21fb31606845c8fd8d82260bb0ea260f
-
SHA1
c4e230392f7a95e383a358fcf88d9b68b3d979d2
-
SHA256
3534ca1c2f0bc7f1e7bddd39d156a2cce00987ed4c22d2817680bfa5fc8ccdf0
-
SHA512
fdd7ea707610c09ec7e88457aa63a239b97ea935a438ad89c87f76a749b25a419703ba9a9b421e52892ee2499bfa73f26c9d01befa6c51057d4812116eee6aca
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3106) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 5008 mssecsvr.exe 1032 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3848 wrote to memory of 4204 3848 rundll32.exe rundll32.exe PID 3848 wrote to memory of 4204 3848 rundll32.exe rundll32.exe PID 3848 wrote to memory of 4204 3848 rundll32.exe rundll32.exe PID 4204 wrote to memory of 5008 4204 rundll32.exe mssecsvr.exe PID 4204 wrote to memory of 5008 4204 rundll32.exe mssecsvr.exe PID 4204 wrote to memory of 5008 4204 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21fb31606845c8fd8d82260bb0ea260f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21fb31606845c8fd8d82260bb0ea260f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD5456fb8c6da133490533b067a8f206a30
SHA1fd1d8f09283c53d1e652c8a6b2595ce558cdcd0f
SHA256cf11a832eb1cd494bea55294740ec00d7c8a906cca8074d237d017fc349d3765
SHA5123fbe1869ff866dad2aa41e060078dda43a8412a7ec82300583905eaf70cddc1d92d338a740f5bb0e453435b55595713834548e31104c7bd70506065ba71d562b
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD5456fb8c6da133490533b067a8f206a30
SHA1fd1d8f09283c53d1e652c8a6b2595ce558cdcd0f
SHA256cf11a832eb1cd494bea55294740ec00d7c8a906cca8074d237d017fc349d3765
SHA5123fbe1869ff866dad2aa41e060078dda43a8412a7ec82300583905eaf70cddc1d92d338a740f5bb0e453435b55595713834548e31104c7bd70506065ba71d562b
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD5456fb8c6da133490533b067a8f206a30
SHA1fd1d8f09283c53d1e652c8a6b2595ce558cdcd0f
SHA256cf11a832eb1cd494bea55294740ec00d7c8a906cca8074d237d017fc349d3765
SHA5123fbe1869ff866dad2aa41e060078dda43a8412a7ec82300583905eaf70cddc1d92d338a740f5bb0e453435b55595713834548e31104c7bd70506065ba71d562b
-
memory/4204-130-0x0000000000000000-mapping.dmp
-
memory/5008-131-0x0000000000000000-mapping.dmp