Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:46
Static task
static1
Behavioral task
behavioral1
Sample
a04eedfd36add320d1853d5a76efc719.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a04eedfd36add320d1853d5a76efc719.dll
Resource
win10v2004-20220414-en
General
-
Target
a04eedfd36add320d1853d5a76efc719.dll
-
Size
5.0MB
-
MD5
a04eedfd36add320d1853d5a76efc719
-
SHA1
f57118b1268c27f96812182291a1f03d05312fea
-
SHA256
72ff24923e8f0101d384ce359e014fe06691e2a603c7d1721ec7a477ff825383
-
SHA512
edfeedf28537a31d4c3b7a0e1e2bab386d54af80d4ef4fb9aaaeb51f579fae997e0480385cbff211dacfeda15f4bd2d55acf397aede700ce99840ac6afd4124d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3355) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 884 mssecsvr.exe 2320 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5084 wrote to memory of 4112 5084 rundll32.exe rundll32.exe PID 5084 wrote to memory of 4112 5084 rundll32.exe rundll32.exe PID 5084 wrote to memory of 4112 5084 rundll32.exe rundll32.exe PID 4112 wrote to memory of 884 4112 rundll32.exe mssecsvr.exe PID 4112 wrote to memory of 884 4112 rundll32.exe mssecsvr.exe PID 4112 wrote to memory of 884 4112 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a04eedfd36add320d1853d5a76efc719.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a04eedfd36add320d1853d5a76efc719.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:884
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD5593db3849fe4faa244b4cf94dabdfd35
SHA16a2e46953820e7859b3b468efe053249a13678a3
SHA256dc9bc5110090fe1fcac02faf801d6c7aff6ee779df65ff2cc079efb1dd44469a
SHA512b46e3f62b26ed3a1cf73132ee6b82c919596053f38d07b4cf069a2b3ac3ca5f32a3345e18b6735afd4b555b8bcaab2e6be2b6da13b5996b4179f92c109566b38
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD5593db3849fe4faa244b4cf94dabdfd35
SHA16a2e46953820e7859b3b468efe053249a13678a3
SHA256dc9bc5110090fe1fcac02faf801d6c7aff6ee779df65ff2cc079efb1dd44469a
SHA512b46e3f62b26ed3a1cf73132ee6b82c919596053f38d07b4cf069a2b3ac3ca5f32a3345e18b6735afd4b555b8bcaab2e6be2b6da13b5996b4179f92c109566b38
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD5593db3849fe4faa244b4cf94dabdfd35
SHA16a2e46953820e7859b3b468efe053249a13678a3
SHA256dc9bc5110090fe1fcac02faf801d6c7aff6ee779df65ff2cc079efb1dd44469a
SHA512b46e3f62b26ed3a1cf73132ee6b82c919596053f38d07b4cf069a2b3ac3ca5f32a3345e18b6735afd4b555b8bcaab2e6be2b6da13b5996b4179f92c109566b38
-
memory/884-134-0x0000000000000000-mapping.dmp
-
memory/4112-133-0x0000000000000000-mapping.dmp