Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
79f1d601ece826493e4e2b409980f6ac.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
79f1d601ece826493e4e2b409980f6ac.dll
Resource
win10v2004-20220414-en
General
-
Target
79f1d601ece826493e4e2b409980f6ac.dll
-
Size
5.0MB
-
MD5
79f1d601ece826493e4e2b409980f6ac
-
SHA1
5132e83d8bb0b0998918dad8f48c45d37b001877
-
SHA256
268c5e3f3050d96c2fc80f38e7a81846bd799ba949d69f35bd2151e509189505
-
SHA512
fb55c19f5b4afe04781dfcdf95ec17373be5040e1cdb1b8d9f63214ebb5ecacbfbf403cf15ec2b509fa5086de5d4ff8ab1b84c2fd9f2c4bccadca8fb3096d3af
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3126) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2760 mssecsvc.exe 1020 mssecsvc.exe 4656 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4476 wrote to memory of 3196 4476 rundll32.exe rundll32.exe PID 4476 wrote to memory of 3196 4476 rundll32.exe rundll32.exe PID 4476 wrote to memory of 3196 4476 rundll32.exe rundll32.exe PID 3196 wrote to memory of 2760 3196 rundll32.exe mssecsvc.exe PID 3196 wrote to memory of 2760 3196 rundll32.exe mssecsvc.exe PID 3196 wrote to memory of 2760 3196 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\79f1d601ece826493e4e2b409980f6ac.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\79f1d601ece826493e4e2b409980f6ac.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e362cb734da0b90095581f7a9f546056
SHA16413c71f105ceeb525a21b3ad4216181bb52907d
SHA256ac4079ec566390347dfda8a14a0c7424a732538d4561efeff05a9af2181e920a
SHA5126d0b3b33b33a95a85e80bcb6275e38fce58ecf69c1c6d694dd3be4eef806f15da9d462bd173f58c13623a776ffbac79a80cbb16f913a09e49899fbcb332e7488
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e362cb734da0b90095581f7a9f546056
SHA16413c71f105ceeb525a21b3ad4216181bb52907d
SHA256ac4079ec566390347dfda8a14a0c7424a732538d4561efeff05a9af2181e920a
SHA5126d0b3b33b33a95a85e80bcb6275e38fce58ecf69c1c6d694dd3be4eef806f15da9d462bd173f58c13623a776ffbac79a80cbb16f913a09e49899fbcb332e7488
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e362cb734da0b90095581f7a9f546056
SHA16413c71f105ceeb525a21b3ad4216181bb52907d
SHA256ac4079ec566390347dfda8a14a0c7424a732538d4561efeff05a9af2181e920a
SHA5126d0b3b33b33a95a85e80bcb6275e38fce58ecf69c1c6d694dd3be4eef806f15da9d462bd173f58c13623a776ffbac79a80cbb16f913a09e49899fbcb332e7488
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56a69a62b5dffae6c9bdb581a9d2db76e
SHA1540ef36e63190662eeffd2f04286aa3c4b02922d
SHA2561ab54ced90bdb51ae642bbf882c92fae6a761119d40771acdfa01c644cb2722d
SHA5126638db680427c47abffca484aff19516716f5e3ac59eb6b562d086987b51bf7c053daa22c87b40187a0a98323b917cd7abb882279e37f7e47d9a427632f4d49c
-
memory/2760-131-0x0000000000000000-mapping.dmp
-
memory/3196-130-0x0000000000000000-mapping.dmp