Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 23:41
Static task
static1
Behavioral task
behavioral1
Sample
181bdb0bb45f29d41b5d1a0830e58ba7.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
181bdb0bb45f29d41b5d1a0830e58ba7.dll
Resource
win10v2004-20220414-en
General
-
Target
181bdb0bb45f29d41b5d1a0830e58ba7.dll
-
Size
5.0MB
-
MD5
181bdb0bb45f29d41b5d1a0830e58ba7
-
SHA1
7d50515b1da7296c81d49931536ce90fe60772e0
-
SHA256
fc6925466cd3b0991a740ba4c92fa5930d7e919574e78ea5b16285181e32ca4d
-
SHA512
ce0a5346b7352f22f3b07fc6bc0977a209bb863f53d8f3e5b8b593fc23bb01187826b81c5e1258a5554b718af3d1ba931159007378dd2dbf107606d856fa7dc1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 756 mssecsvc.exe 1620 mssecsvc.exe 4092 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2124 wrote to memory of 2224 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 2224 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 2224 2124 rundll32.exe rundll32.exe PID 2224 wrote to memory of 756 2224 rundll32.exe mssecsvc.exe PID 2224 wrote to memory of 756 2224 rundll32.exe mssecsvc.exe PID 2224 wrote to memory of 756 2224 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\181bdb0bb45f29d41b5d1a0830e58ba7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\181bdb0bb45f29d41b5d1a0830e58ba7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:756 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4092
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5dfdd4023897871bab56080fc0185b3a6
SHA1e43701e94be3456f80ba6d940f52ca0690a3895c
SHA256a6e60d6165c17d58e38ec1322e4dd44d8412c76ab2064202966b7ddd4f3e67cf
SHA5126060039041354262442a0dd0653ee547356e5d1526257861703077fe2ac1222390871ba67c78f0e93a00bbc33f2d9fcc123a6896a9bfe0934073e4ec2aba5d75
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5dfdd4023897871bab56080fc0185b3a6
SHA1e43701e94be3456f80ba6d940f52ca0690a3895c
SHA256a6e60d6165c17d58e38ec1322e4dd44d8412c76ab2064202966b7ddd4f3e67cf
SHA5126060039041354262442a0dd0653ee547356e5d1526257861703077fe2ac1222390871ba67c78f0e93a00bbc33f2d9fcc123a6896a9bfe0934073e4ec2aba5d75
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5dfdd4023897871bab56080fc0185b3a6
SHA1e43701e94be3456f80ba6d940f52ca0690a3895c
SHA256a6e60d6165c17d58e38ec1322e4dd44d8412c76ab2064202966b7ddd4f3e67cf
SHA5126060039041354262442a0dd0653ee547356e5d1526257861703077fe2ac1222390871ba67c78f0e93a00bbc33f2d9fcc123a6896a9bfe0934073e4ec2aba5d75
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD570e0f5241de06447674f0e8c6dbe8ef6
SHA1597065fec625783223b9b2ef987de0b49ef472fc
SHA256e4033409984bed86fe721d6cf74f7b6676320174f94146fbca9bdab3a7320843
SHA512e3fb27959cb54a37dc00e87255c31423ca844168defcf0c813148349b27d8892e9d8433c5a0a8149e32a55f42d105995c8f8691e05fecabe32ad9e83ad81c572
-
memory/756-131-0x0000000000000000-mapping.dmp
-
memory/2224-130-0x0000000000000000-mapping.dmp