Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 23:38
Static task
static1
Behavioral task
behavioral1
Sample
baaf9b2f0ea5f26f4c4d8021216ca936.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
baaf9b2f0ea5f26f4c4d8021216ca936.dll
Resource
win10v2004-20220414-en
General
-
Target
baaf9b2f0ea5f26f4c4d8021216ca936.dll
-
Size
5.0MB
-
MD5
baaf9b2f0ea5f26f4c4d8021216ca936
-
SHA1
aeb5c2bfcd95fe5b63e8709bfcac6f1270f3abc2
-
SHA256
59eee303cf6cbf5bc6019b07f3e49714cbcc8f98639b36d55a9e0289de456c91
-
SHA512
44846385fd7df191ff39d817f51155db3b3bfdca022e6638751dba9463fcfbe749147fac12b72db55b39b8a7199715e544164710fd5049b98ea74d104e8c32fa
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3112) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4316 mssecsvc.exe 2280 mssecsvc.exe 1216 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3932 wrote to memory of 64 3932 rundll32.exe rundll32.exe PID 3932 wrote to memory of 64 3932 rundll32.exe rundll32.exe PID 3932 wrote to memory of 64 3932 rundll32.exe rundll32.exe PID 64 wrote to memory of 4316 64 rundll32.exe mssecsvc.exe PID 64 wrote to memory of 4316 64 rundll32.exe mssecsvc.exe PID 64 wrote to memory of 4316 64 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\baaf9b2f0ea5f26f4c4d8021216ca936.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\baaf9b2f0ea5f26f4c4d8021216ca936.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD56ebbe1b87c4ff3ed8c431a8597f0ce0b
SHA105e3ccb742c5f01a30fc703b12497cd17f346032
SHA2567814ae9dc6b4433524337c3cd1e5d44ad5cb1f2a4da166e93895eb7120ede696
SHA512725bb9e049b849a3df7318449ddb9f654d8844e5828b6686a4aa55877988fdac3374bf966b335e6152dcd628e6d3537ded2f9d1361dbf9de8590b02cb2869083
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56ebbe1b87c4ff3ed8c431a8597f0ce0b
SHA105e3ccb742c5f01a30fc703b12497cd17f346032
SHA2567814ae9dc6b4433524337c3cd1e5d44ad5cb1f2a4da166e93895eb7120ede696
SHA512725bb9e049b849a3df7318449ddb9f654d8844e5828b6686a4aa55877988fdac3374bf966b335e6152dcd628e6d3537ded2f9d1361dbf9de8590b02cb2869083
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56ebbe1b87c4ff3ed8c431a8597f0ce0b
SHA105e3ccb742c5f01a30fc703b12497cd17f346032
SHA2567814ae9dc6b4433524337c3cd1e5d44ad5cb1f2a4da166e93895eb7120ede696
SHA512725bb9e049b849a3df7318449ddb9f654d8844e5828b6686a4aa55877988fdac3374bf966b335e6152dcd628e6d3537ded2f9d1361dbf9de8590b02cb2869083
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f77962a587f11843491c9802bcbfc040
SHA17c21e00421c51c4060bb160a1efa57e3a10abc4f
SHA256e426116f7da1f6021e2475bfcab94073862fb1a1289826cd69e7a9a605934e6f
SHA51295b8f99117fc7fe9ad94cf6f6b39774a59bd9999eb82f1779ac62f46f28d725502ec3935e5dcec5119c465e81861e86478dc70e9baeec7b61ea549568a10d197
-
memory/64-130-0x0000000000000000-mapping.dmp
-
memory/4316-131-0x0000000000000000-mapping.dmp