Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:44
Static task
static1
Behavioral task
behavioral1
Sample
8a3d79d167ee3b3e4edcd795cc7a3d1f.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
8a3d79d167ee3b3e4edcd795cc7a3d1f.dll
Resource
win10v2004-20220718-en
General
-
Target
8a3d79d167ee3b3e4edcd795cc7a3d1f.dll
-
Size
5.0MB
-
MD5
8a3d79d167ee3b3e4edcd795cc7a3d1f
-
SHA1
69c8a6cf35ba8665326156d50c3ca301d72b6b62
-
SHA256
072d830282531cfe17214abc9dad67e3a1c71f5fab3f4d57398483e26b14359d
-
SHA512
52b6771c217a9c66d10d6e8e733198eca5ee641d23ddb67d73692567a53407d3bb971ce59f8bb9de426d2d638880e0227e260a5aac0cd64410135ab92b079ec5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3176) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 4112 mssecsvr.exe 4316 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3536 wrote to memory of 3796 3536 rundll32.exe rundll32.exe PID 3536 wrote to memory of 3796 3536 rundll32.exe rundll32.exe PID 3536 wrote to memory of 3796 3536 rundll32.exe rundll32.exe PID 3796 wrote to memory of 4112 3796 rundll32.exe mssecsvr.exe PID 3796 wrote to memory of 4112 3796 rundll32.exe mssecsvr.exe PID 3796 wrote to memory of 4112 3796 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a3d79d167ee3b3e4edcd795cc7a3d1f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a3d79d167ee3b3e4edcd795cc7a3d1f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD552f32ddde05bece6322c3c5ddc2a3e34
SHA13cc86a5b0d9b98c631173f099f8b66b3495f9003
SHA25624ee88df255e6bb2902363aa3fdaedd6975d7fcf0a45407916bd332c03525932
SHA512f1be0e42e90497b2569d3bb451cbac3f5feee75124840e7186f5465157533358fecd791e3fe527ae9107eb02735b14efc6daaa145c9999291e9710c9902bbecd
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD552f32ddde05bece6322c3c5ddc2a3e34
SHA13cc86a5b0d9b98c631173f099f8b66b3495f9003
SHA25624ee88df255e6bb2902363aa3fdaedd6975d7fcf0a45407916bd332c03525932
SHA512f1be0e42e90497b2569d3bb451cbac3f5feee75124840e7186f5465157533358fecd791e3fe527ae9107eb02735b14efc6daaa145c9999291e9710c9902bbecd
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD552f32ddde05bece6322c3c5ddc2a3e34
SHA13cc86a5b0d9b98c631173f099f8b66b3495f9003
SHA25624ee88df255e6bb2902363aa3fdaedd6975d7fcf0a45407916bd332c03525932
SHA512f1be0e42e90497b2569d3bb451cbac3f5feee75124840e7186f5465157533358fecd791e3fe527ae9107eb02735b14efc6daaa145c9999291e9710c9902bbecd
-
memory/3796-130-0x0000000000000000-mapping.dmp
-
memory/4112-131-0x0000000000000000-mapping.dmp