Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
ae35c36bea9319e3456f00994d49c955.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ae35c36bea9319e3456f00994d49c955.dll
Resource
win10v2004-20220718-en
General
-
Target
ae35c36bea9319e3456f00994d49c955.dll
-
Size
5.0MB
-
MD5
ae35c36bea9319e3456f00994d49c955
-
SHA1
930ffa486221f212895d298eeb9c7e98d3303810
-
SHA256
682a18a241d9b0430472694cd5822e14165b6d343ef46247d266e724f4c5ced2
-
SHA512
b492e9a61530b41149d9def1c30f5b61e0ba4d12952e608cb9e8798a3e4169ae67264e40ba50d7d77dc601f3a172aa735277e450de9703b83dca3576b7ea08ac
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3299) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5000 mssecsvc.exe 4388 mssecsvc.exe 1516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4952 wrote to memory of 4988 4952 rundll32.exe rundll32.exe PID 4952 wrote to memory of 4988 4952 rundll32.exe rundll32.exe PID 4952 wrote to memory of 4988 4952 rundll32.exe rundll32.exe PID 4988 wrote to memory of 5000 4988 rundll32.exe mssecsvc.exe PID 4988 wrote to memory of 5000 4988 rundll32.exe mssecsvc.exe PID 4988 wrote to memory of 5000 4988 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae35c36bea9319e3456f00994d49c955.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae35c36bea9319e3456f00994d49c955.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5000 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD517156cdc3d6c5e68be202aecf2e7c419
SHA1ea9e39a5463ae1c55d9f659a0b706d3d516462d2
SHA256bd3f0154d4299e0708b3e32b0d440546725a6abf856b4392299b44946a94fbea
SHA512740ed7123d10fd91f1e4623356ca0addddce2a3c8fae23cafd821890ec5d25dee599bb6dbb8858b479e1c4fa2af7c16f49d0cae324763c559c080e1940de1c0c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD517156cdc3d6c5e68be202aecf2e7c419
SHA1ea9e39a5463ae1c55d9f659a0b706d3d516462d2
SHA256bd3f0154d4299e0708b3e32b0d440546725a6abf856b4392299b44946a94fbea
SHA512740ed7123d10fd91f1e4623356ca0addddce2a3c8fae23cafd821890ec5d25dee599bb6dbb8858b479e1c4fa2af7c16f49d0cae324763c559c080e1940de1c0c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD517156cdc3d6c5e68be202aecf2e7c419
SHA1ea9e39a5463ae1c55d9f659a0b706d3d516462d2
SHA256bd3f0154d4299e0708b3e32b0d440546725a6abf856b4392299b44946a94fbea
SHA512740ed7123d10fd91f1e4623356ca0addddce2a3c8fae23cafd821890ec5d25dee599bb6dbb8858b479e1c4fa2af7c16f49d0cae324763c559c080e1940de1c0c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD584a3bcc88e986e51b09336dec5cdf70f
SHA10055217de8cc80a341c4950607f8e1a2ec49f75e
SHA256bff5fa6cf223b458a703d6a2acdb1977a455d99dbeae5c05fe7f23f069bcbc61
SHA51270de79a19dc48c6d6d598acffd8b7b0095e458ffa1c31e2c6e4ee3d907716e9ea1b72c438ab64da74957127cd21cce0d4a3d432f1dabf66c5b9fd2286eb7593a
-
memory/4988-130-0x0000000000000000-mapping.dmp
-
memory/5000-131-0x0000000000000000-mapping.dmp