Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:54
Static task
static1
Behavioral task
behavioral1
Sample
700676152020869995f46970dc5c2dd2.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
700676152020869995f46970dc5c2dd2.dll
Resource
win10v2004-20220718-en
General
-
Target
700676152020869995f46970dc5c2dd2.dll
-
Size
5.0MB
-
MD5
700676152020869995f46970dc5c2dd2
-
SHA1
d68271778f94dbefa05052005c328fca8eadb06c
-
SHA256
25dfafdba40d4fe12ca9e8665529db03e7d21234b2bec00ac8e97cce4f84d54d
-
SHA512
1bcc848e4e9a3d1b803d31c44c01ccfef8ae06a791d08f8f735690b338542de061cb3dfa8931403fe7ae948329721d3ec1bf3497277b2845c7ac0dd2337c020a
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3185) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3928 mssecsvc.exe 2828 mssecsvc.exe 3140 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2524 wrote to memory of 1572 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 1572 2524 rundll32.exe rundll32.exe PID 2524 wrote to memory of 1572 2524 rundll32.exe rundll32.exe PID 1572 wrote to memory of 3928 1572 rundll32.exe mssecsvc.exe PID 1572 wrote to memory of 3928 1572 rundll32.exe mssecsvc.exe PID 1572 wrote to memory of 3928 1572 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\700676152020869995f46970dc5c2dd2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\700676152020869995f46970dc5c2dd2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3928 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3140
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e4e7cb078d9eca7e6ac5f738eb28b55e
SHA11645f2bd1d5845eca9c44a112b7762e87631c1b5
SHA256a42c06cd1cd7adf77a96cc6e532a34b5f6c440a6a2789e63d6c35725f263eb0c
SHA512ce70087d35712c6d0f4202f540dac8d3a89f8c531c0713ddbcb339a6199bab5cb2ad7500cc561177bd374bb21c04129529cc391d325da87291ee7804beb89880
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e4e7cb078d9eca7e6ac5f738eb28b55e
SHA11645f2bd1d5845eca9c44a112b7762e87631c1b5
SHA256a42c06cd1cd7adf77a96cc6e532a34b5f6c440a6a2789e63d6c35725f263eb0c
SHA512ce70087d35712c6d0f4202f540dac8d3a89f8c531c0713ddbcb339a6199bab5cb2ad7500cc561177bd374bb21c04129529cc391d325da87291ee7804beb89880
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e4e7cb078d9eca7e6ac5f738eb28b55e
SHA11645f2bd1d5845eca9c44a112b7762e87631c1b5
SHA256a42c06cd1cd7adf77a96cc6e532a34b5f6c440a6a2789e63d6c35725f263eb0c
SHA512ce70087d35712c6d0f4202f540dac8d3a89f8c531c0713ddbcb339a6199bab5cb2ad7500cc561177bd374bb21c04129529cc391d325da87291ee7804beb89880
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ffe049220458df6d87813bda567fd205
SHA13d16faf3e388022f0f936fba1d215d92c9bbbed9
SHA256fd7430245972860f132b7a51f6538274b8c87d4e3b752590b727b78c8a5ea666
SHA51216a912db521a6207b53ff511488d1543ce61e2f28c69d4380f39a7e7e4521592044b54668e1811413741b82190a84de7b48d1244179b67ea8d9f60cc2df8ff90
-
memory/1572-130-0x0000000000000000-mapping.dmp
-
memory/3928-131-0x0000000000000000-mapping.dmp