Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
16ce86d5d1cf3e2dd93aaec1b3394ef2.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
16ce86d5d1cf3e2dd93aaec1b3394ef2.dll
Resource
win10v2004-20220414-en
General
-
Target
16ce86d5d1cf3e2dd93aaec1b3394ef2.dll
-
Size
5.0MB
-
MD5
16ce86d5d1cf3e2dd93aaec1b3394ef2
-
SHA1
5dae16978a5b8f1964e04ac2145541b0ad2b52f3
-
SHA256
778a55a3dab38862e2eda45f619cdb44baa804a1c165f0db8c600ec1b1faaf64
-
SHA512
117bae2ed24ff5d39d18a9d7209ef9ef56c8c21977b4c268123ac5df46d294254603113aba45b74183556fe7ac8b00375322b071e5cb4a491d2704cd47706f39
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3246) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4316 mssecsvc.exe 4388 mssecsvc.exe 4676 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2744 wrote to memory of 4216 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 4216 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 4216 2744 rundll32.exe rundll32.exe PID 4216 wrote to memory of 4316 4216 rundll32.exe mssecsvc.exe PID 4216 wrote to memory of 4316 4216 rundll32.exe mssecsvc.exe PID 4216 wrote to memory of 4316 4216 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16ce86d5d1cf3e2dd93aaec1b3394ef2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16ce86d5d1cf3e2dd93aaec1b3394ef2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4216 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4316 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4676
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4388
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a0cb6b0dc5d228429065fbc33c2f585d
SHA107726f67a00ad36476dfa5dca830129324d6b223
SHA25606fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3
SHA51289680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a0cb6b0dc5d228429065fbc33c2f585d
SHA107726f67a00ad36476dfa5dca830129324d6b223
SHA25606fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3
SHA51289680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a0cb6b0dc5d228429065fbc33c2f585d
SHA107726f67a00ad36476dfa5dca830129324d6b223
SHA25606fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3
SHA51289680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ea7d7a7f1e10874a3e94cd08628083db
SHA141f862f9eeee5acf802eaf2bfc9b2c0bb862f82f
SHA25606b22b278a2ebcf74be43cfee41826342cc118bb570e7833ecf53e1d1a521ba6
SHA5129a85dedc93b8bf73cf8d58eadd0b536c4c7c0ecc03af1bf4ffb40561e3eb72a8eaa7f3fca070f2afd47334365adba941df7e3b3fcfa23f7762a97fa4d4897bed
-
memory/4216-130-0x0000000000000000-mapping.dmp
-
memory/4316-131-0x0000000000000000-mapping.dmp