Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:48
Static task
static1
Behavioral task
behavioral1
Sample
7a0631216e7e0807a155539dc0bfd8b4.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
7a0631216e7e0807a155539dc0bfd8b4.dll
Resource
win10v2004-20220718-en
General
-
Target
7a0631216e7e0807a155539dc0bfd8b4.dll
-
Size
5.0MB
-
MD5
7a0631216e7e0807a155539dc0bfd8b4
-
SHA1
fca36ac2c4a36fffa978655d46337465cba30cb1
-
SHA256
2c45e11f3ae6d3a9d81dbb079902ef99737b24b58d34d7c03a23ed8494c9f8a2
-
SHA512
11261fdcb99e1809c341134129fbc80d5ffa68f0ea49c37ab11e4b36a96b7aed81881bb1ad063e3999020614aea270724940dafb7d4d545d10a367c7f15f7319
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3269) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 3720 mssecsvc.exe 2696 mssecsvc.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3128 wrote to memory of 3148 3128 rundll32.exe rundll32.exe PID 3128 wrote to memory of 3148 3128 rundll32.exe rundll32.exe PID 3128 wrote to memory of 3148 3128 rundll32.exe rundll32.exe PID 3148 wrote to memory of 3720 3148 rundll32.exe mssecsvc.exe PID 3148 wrote to memory of 3720 3148 rundll32.exe mssecsvc.exe PID 3148 wrote to memory of 3720 3148 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a0631216e7e0807a155539dc0bfd8b4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7a0631216e7e0807a155539dc0bfd8b4.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3720
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a01a2f7460e161baec47241b63a26d65
SHA1e52305cf2fcb7750449f2c5fc29864b5e246df8b
SHA2563d64941858b3b79aa9e79a2ebe69580498494f466ec58627701967c2c5c6065c
SHA51247bcd553fb4f14abcc7d8f791fe5b633416387cb17739e9b5e2687ab45cd8a5023a97429478d37b768fe14977ccad4c02f03ec9a90fc2c8c7c200a29cfeb0386
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a01a2f7460e161baec47241b63a26d65
SHA1e52305cf2fcb7750449f2c5fc29864b5e246df8b
SHA2563d64941858b3b79aa9e79a2ebe69580498494f466ec58627701967c2c5c6065c
SHA51247bcd553fb4f14abcc7d8f791fe5b633416387cb17739e9b5e2687ab45cd8a5023a97429478d37b768fe14977ccad4c02f03ec9a90fc2c8c7c200a29cfeb0386
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a01a2f7460e161baec47241b63a26d65
SHA1e52305cf2fcb7750449f2c5fc29864b5e246df8b
SHA2563d64941858b3b79aa9e79a2ebe69580498494f466ec58627701967c2c5c6065c
SHA51247bcd553fb4f14abcc7d8f791fe5b633416387cb17739e9b5e2687ab45cd8a5023a97429478d37b768fe14977ccad4c02f03ec9a90fc2c8c7c200a29cfeb0386
-
memory/3148-130-0x0000000000000000-mapping.dmp
-
memory/3720-131-0x0000000000000000-mapping.dmp