Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
cd59384c604a5f9e447adc1e97e95291.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
cd59384c604a5f9e447adc1e97e95291.dll
Resource
win10v2004-20220718-en
General
-
Target
cd59384c604a5f9e447adc1e97e95291.dll
-
Size
5.0MB
-
MD5
cd59384c604a5f9e447adc1e97e95291
-
SHA1
098bfc9ba19f826f33c16697a0af3a8d805e922a
-
SHA256
7d0e5ba752f278eade0152fc94f590d565f3f96737620f4084534de58d4f8187
-
SHA512
72fa297ac5b4616edf42349c564cff26cac5efddfdd0a9daa96c2aa70779247e43cccee1797d7856d09a4a8c356868587bc7496fa854d8bb615b2d4ecab4f342
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2602) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3444 mssecsvc.exe 4796 mssecsvc.exe 4232 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3992 4232 WerFault.exe tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 2492 wrote to memory of 3124 2492 rundll32.exe rundll32.exe PID 2492 wrote to memory of 3124 2492 rundll32.exe rundll32.exe PID 2492 wrote to memory of 3124 2492 rundll32.exe rundll32.exe PID 3124 wrote to memory of 3444 3124 rundll32.exe mssecsvc.exe PID 3124 wrote to memory of 3444 3124 rundll32.exe mssecsvc.exe PID 3124 wrote to memory of 3444 3124 rundll32.exe mssecsvc.exe PID 3444 wrote to memory of 4232 3444 mssecsvc.exe tasksche.exe PID 3444 wrote to memory of 4232 3444 mssecsvc.exe tasksche.exe PID 3444 wrote to memory of 4232 3444 mssecsvc.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd59384c604a5f9e447adc1e97e95291.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd59384c604a5f9e447adc1e97e95291.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 2165⤵
- Program crash
PID:3992
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 42321⤵PID:524
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5747ff3b923618f9c579309bc33fe9f64
SHA18a44b79f0042393ffc568ba16968e02f8b20d5cd
SHA2564651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679
SHA5125a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525
-
C:\WINDOWS\tasksche.exeFilesize
3.4MB
MD5c8e7ed224160ab24e4232f5e6fd8bc08
SHA18bcbe1b427c7c65810d25d5e1bd6788073ab037d
SHA2567176e96fab482a3569ae24b2dbdb81720cfc354199923294aafca76d7be28c8b
SHA512dd063fc9a0ba9b0743eea55f6f040ed350598e0adb3545054727b52ddac6aef02f6dd5fbc395520a0d21da18b85a6b69d353bcb1fe3413f1f67ec18e26d89cb8
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5747ff3b923618f9c579309bc33fe9f64
SHA18a44b79f0042393ffc568ba16968e02f8b20d5cd
SHA2564651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679
SHA5125a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5747ff3b923618f9c579309bc33fe9f64
SHA18a44b79f0042393ffc568ba16968e02f8b20d5cd
SHA2564651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679
SHA5125a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c8e7ed224160ab24e4232f5e6fd8bc08
SHA18bcbe1b427c7c65810d25d5e1bd6788073ab037d
SHA2567176e96fab482a3569ae24b2dbdb81720cfc354199923294aafca76d7be28c8b
SHA512dd063fc9a0ba9b0743eea55f6f040ed350598e0adb3545054727b52ddac6aef02f6dd5fbc395520a0d21da18b85a6b69d353bcb1fe3413f1f67ec18e26d89cb8
-
memory/3124-130-0x0000000000000000-mapping.dmp
-
memory/3444-131-0x0000000000000000-mapping.dmp
-
memory/4232-135-0x0000000000000000-mapping.dmp