Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:21
Static task
static1
Behavioral task
behavioral1
Sample
5d92803db88c63ce63015eca6ec5e75a.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5d92803db88c63ce63015eca6ec5e75a.dll
Resource
win10v2004-20220414-en
General
-
Target
5d92803db88c63ce63015eca6ec5e75a.dll
-
Size
5.0MB
-
MD5
5d92803db88c63ce63015eca6ec5e75a
-
SHA1
e202d06dc9a3f2bcc8c24afba5e73238f03b2340
-
SHA256
287889afcc2b86f6b705c55882880954e41f15ecbf3441980a567f8ff10605a3
-
SHA512
6efafb95bcfab2b8d14c5eb9adee4c21cfe0f900b873665159c3e157e8202046bd47adeddfd716fad65b93691addd5b4618bafe4d306814b2ac2d4318b359a47
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3331) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3852 mssecsvc.exe 4584 mssecsvc.exe 4580 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4284 wrote to memory of 2752 4284 rundll32.exe rundll32.exe PID 4284 wrote to memory of 2752 4284 rundll32.exe rundll32.exe PID 4284 wrote to memory of 2752 4284 rundll32.exe rundll32.exe PID 2752 wrote to memory of 3852 2752 rundll32.exe mssecsvc.exe PID 2752 wrote to memory of 3852 2752 rundll32.exe mssecsvc.exe PID 2752 wrote to memory of 3852 2752 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d92803db88c63ce63015eca6ec5e75a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d92803db88c63ce63015eca6ec5e75a.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3852 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4580
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5025b78612cb2cdcd2911e1ff9a4e2e97
SHA1448993504e2582d4a5af3a3eac139389709c4955
SHA2566e7079fd8bcd6a518fbfd1fa69f39063330a8bf22ecb795a550c7f611d03b02d
SHA5123796e6953f08b4004889a361e9dca094203a0c3b8296da31c4e50c4475cfe73cc40d110d7f4d0b64f19781d877805a1715fec400a6607d0c86565efe80c36a59
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5025b78612cb2cdcd2911e1ff9a4e2e97
SHA1448993504e2582d4a5af3a3eac139389709c4955
SHA2566e7079fd8bcd6a518fbfd1fa69f39063330a8bf22ecb795a550c7f611d03b02d
SHA5123796e6953f08b4004889a361e9dca094203a0c3b8296da31c4e50c4475cfe73cc40d110d7f4d0b64f19781d877805a1715fec400a6607d0c86565efe80c36a59
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5025b78612cb2cdcd2911e1ff9a4e2e97
SHA1448993504e2582d4a5af3a3eac139389709c4955
SHA2566e7079fd8bcd6a518fbfd1fa69f39063330a8bf22ecb795a550c7f611d03b02d
SHA5123796e6953f08b4004889a361e9dca094203a0c3b8296da31c4e50c4475cfe73cc40d110d7f4d0b64f19781d877805a1715fec400a6607d0c86565efe80c36a59
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ef98ed24f8de1a231f833d48da3484df
SHA1bff6bbf8c6378ed15600d1bf3e340551fe490965
SHA25641bfecc28427928f62e5af66c3328e0d2e72080a0f4cf6d6743b3699c433cac7
SHA51229a06ac39ebf7d2d861df530019d513da1b40b87058d4e9194486352aa1738b9921adcad804e41b2914ed3042d021a1f8a102495666ca888f5560deb4f8601fd
-
memory/2752-130-0x0000000000000000-mapping.dmp
-
memory/3852-131-0x0000000000000000-mapping.dmp