Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:43
Static task
static1
Behavioral task
behavioral1
Sample
c36b1df21a113df6b722739559789d7a.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
c36b1df21a113df6b722739559789d7a.dll
Resource
win10v2004-20220414-en
General
-
Target
c36b1df21a113df6b722739559789d7a.dll
-
Size
5.0MB
-
MD5
c36b1df21a113df6b722739559789d7a
-
SHA1
559960bd1ccd2351761eae1362a57c9857562d71
-
SHA256
49226d9d4d6b7db5be0d155273e5e6546ec029b2afc1651b6478f13f5febf29e
-
SHA512
b8856ab6b2d5c85c21a9de474b4d112e9f9671196536ecfc7d83dd650aec7043b6c0afc0505bf44ea8509376328ead206c3c1eb9306a8e1218db22146f5716be
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3219) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4300 mssecsvc.exe 2788 mssecsvc.exe 4268 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2204 wrote to memory of 968 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 968 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 968 2204 rundll32.exe rundll32.exe PID 968 wrote to memory of 4300 968 rundll32.exe mssecsvc.exe PID 968 wrote to memory of 4300 968 rundll32.exe mssecsvc.exe PID 968 wrote to memory of 4300 968 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c36b1df21a113df6b722739559789d7a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c36b1df21a113df6b722739559789d7a.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:968 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4300 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4268
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2788
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD571947d8845c563f91b94f8d155ec2794
SHA1e9c550c7c2b0df8989bbddb63abaf5cc642be245
SHA25620ac1a6e3725dcb8d7e889bd3401725a6af076525ae25abe4914146c2bb39c74
SHA5126d70e84242970a4b65427b2f1741096635f9f812964b22b5d0c55c1f91e681b9cedd2d8946a8ace4f550776a77ee101f3912d71d01d36224fd65a1de8b35bf6c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD571947d8845c563f91b94f8d155ec2794
SHA1e9c550c7c2b0df8989bbddb63abaf5cc642be245
SHA25620ac1a6e3725dcb8d7e889bd3401725a6af076525ae25abe4914146c2bb39c74
SHA5126d70e84242970a4b65427b2f1741096635f9f812964b22b5d0c55c1f91e681b9cedd2d8946a8ace4f550776a77ee101f3912d71d01d36224fd65a1de8b35bf6c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD571947d8845c563f91b94f8d155ec2794
SHA1e9c550c7c2b0df8989bbddb63abaf5cc642be245
SHA25620ac1a6e3725dcb8d7e889bd3401725a6af076525ae25abe4914146c2bb39c74
SHA5126d70e84242970a4b65427b2f1741096635f9f812964b22b5d0c55c1f91e681b9cedd2d8946a8ace4f550776a77ee101f3912d71d01d36224fd65a1de8b35bf6c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a203a133174d3b4ebe3ee65dd2882af9
SHA1b3def31fcb3629d202609de7af988ffbdcc8aea1
SHA2562bc3f0f53335d039a76281e0c9a15c271f11e7ab86372b16bf1a08c0fb6726f0
SHA51260ac2f833d38970f28d0db5166fa815cc5e56ee86c8dede3b2c6e43d021ae832d6ca85e6713041f278a6df00ad461daec629194af0de5d88c2befecaf1873350
-
memory/968-130-0x0000000000000000-mapping.dmp
-
memory/4300-131-0x0000000000000000-mapping.dmp