Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 18:41
Static task
static1
Behavioral task
behavioral1
Sample
53bd36e4beb02198ccdde6c3a75663c2.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
53bd36e4beb02198ccdde6c3a75663c2.dll
Resource
win10v2004-20220718-en
General
-
Target
53bd36e4beb02198ccdde6c3a75663c2.dll
-
Size
5.0MB
-
MD5
53bd36e4beb02198ccdde6c3a75663c2
-
SHA1
c4c139c11405027b5a3f019f073d7b1c4082f905
-
SHA256
0bf994bea8d93e0307e56148b760e31d19afcc444e71ee7062025436aca9f0e9
-
SHA512
c02b67c609bc746311caefbfe4faf2332745bcdf1c0646bcc09d6153c1c01775e546a9a0b77e9cacb5dc39aaad505936bef9ad8a66bec7e22a6c92780f09b225
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3173) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 4544 mssecsvr.exe 3744 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvr.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\WINDOWS\mssecsvr.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2632 wrote to memory of 2228 2632 rundll32.exe rundll32.exe PID 2632 wrote to memory of 2228 2632 rundll32.exe rundll32.exe PID 2632 wrote to memory of 2228 2632 rundll32.exe rundll32.exe PID 2228 wrote to memory of 4544 2228 rundll32.exe mssecsvr.exe PID 2228 wrote to memory of 4544 2228 rundll32.exe mssecsvr.exe PID 2228 wrote to memory of 4544 2228 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53bd36e4beb02198ccdde6c3a75663c2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53bd36e4beb02198ccdde6c3a75663c2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD563a98253cce2b5a2f596ac5142b309d3
SHA1408dd5f4e660b225172b054a899bf0b374a152f1
SHA256159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8
SHA5127b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD563a98253cce2b5a2f596ac5142b309d3
SHA1408dd5f4e660b225172b054a899bf0b374a152f1
SHA256159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8
SHA5127b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD563a98253cce2b5a2f596ac5142b309d3
SHA1408dd5f4e660b225172b054a899bf0b374a152f1
SHA256159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8
SHA5127b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc
-
memory/2228-130-0x0000000000000000-mapping.dmp
-
memory/4544-131-0x0000000000000000-mapping.dmp