Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 18:39
Static task
static1
Behavioral task
behavioral1
Sample
b4bb472fa8b01b19ff8ab5a6e46125f9.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
b4bb472fa8b01b19ff8ab5a6e46125f9.dll
Resource
win10v2004-20220718-en
General
-
Target
b4bb472fa8b01b19ff8ab5a6e46125f9.dll
-
Size
5.0MB
-
MD5
b4bb472fa8b01b19ff8ab5a6e46125f9
-
SHA1
4cb651d5b16fd5b3cff4246b28679378c546aa20
-
SHA256
4bf1fbbd994e86b9419d03ba4e930e2367837952ce603cbbed1d71750718c7c4
-
SHA512
f40f9ed6d5e7e7d51f20b0867bffc8fef0813c8a2836e0880b4da345ddb00e9b097ad36f93394b59f1050950827ae849f0df2a4b9cec13fb77b15dfb52a56300
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3094) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4900 mssecsvc.exe 3636 mssecsvc.exe 1612 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3456 wrote to memory of 856 3456 rundll32.exe rundll32.exe PID 3456 wrote to memory of 856 3456 rundll32.exe rundll32.exe PID 3456 wrote to memory of 856 3456 rundll32.exe rundll32.exe PID 856 wrote to memory of 4900 856 rundll32.exe mssecsvc.exe PID 856 wrote to memory of 4900 856 rundll32.exe mssecsvc.exe PID 856 wrote to memory of 4900 856 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4bb472fa8b01b19ff8ab5a6e46125f9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b4bb472fa8b01b19ff8ab5a6e46125f9.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD57235f260ef68f0aa902cc6652566da79
SHA17e357ba751207b4a0d25a2cab05ae12b7b3f5045
SHA256505ddf47559ed7a36aafcc493bb3001e7e7c7cfdc7e419b66e2bb9d805ca4808
SHA51287db6eae21f32b3a48d01ff31cabc081587b9279629e78569d4f258b391da899640cf7f1af094ab151f65d593976228eec3dcb0d0556f1396bfbe8970022fbd2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57235f260ef68f0aa902cc6652566da79
SHA17e357ba751207b4a0d25a2cab05ae12b7b3f5045
SHA256505ddf47559ed7a36aafcc493bb3001e7e7c7cfdc7e419b66e2bb9d805ca4808
SHA51287db6eae21f32b3a48d01ff31cabc081587b9279629e78569d4f258b391da899640cf7f1af094ab151f65d593976228eec3dcb0d0556f1396bfbe8970022fbd2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57235f260ef68f0aa902cc6652566da79
SHA17e357ba751207b4a0d25a2cab05ae12b7b3f5045
SHA256505ddf47559ed7a36aafcc493bb3001e7e7c7cfdc7e419b66e2bb9d805ca4808
SHA51287db6eae21f32b3a48d01ff31cabc081587b9279629e78569d4f258b391da899640cf7f1af094ab151f65d593976228eec3dcb0d0556f1396bfbe8970022fbd2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ba8922fceaeed80297c3c391c8844b70
SHA12ef2a451fbcd42a938ae3d7bfad93dbc8ebe144f
SHA256e3825cad783a302902576ca4cfae9fdfc8640a012876402c89e7dd22475cda91
SHA512faee2d00623ab8a0db455a4b26074faed6da189220630f5260c331ed3d7f633f4cb253efaae25101c64ca836bea92b2de9e8c18614da483d4614b2e176d159bb
-
memory/856-130-0x0000000000000000-mapping.dmp
-
memory/4900-131-0x0000000000000000-mapping.dmp