Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:22
Static task
static1
Behavioral task
behavioral1
Sample
9a1768e5531d0852278b95e4d0137977.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
9a1768e5531d0852278b95e4d0137977.dll
Resource
win10v2004-20220718-en
General
-
Target
9a1768e5531d0852278b95e4d0137977.dll
-
Size
5.0MB
-
MD5
9a1768e5531d0852278b95e4d0137977
-
SHA1
2ca173481b3a44682b197f0c4e409bdf901dd5c9
-
SHA256
4535103ddced2d2d756b4886c0950c0fe39fca42eb94d1970086337ded31e406
-
SHA512
ae016884b0b40abd14e667b376c44877fdca7b731f993e7fc3ac72bad61575d123ae88b3865f02cb706b05c9dac840f207f9380340de631fb59ed70e1c2829ce
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3109) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 3496 mssecsvr.exe 904 mssecsvr.exe 4508 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exemssecsvr.exetasksche.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_240547093 tasksche.exe File created C:\Windows\eee.exe tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvr.exedescription pid process target process PID 5068 wrote to memory of 3212 5068 rundll32.exe rundll32.exe PID 5068 wrote to memory of 3212 5068 rundll32.exe rundll32.exe PID 5068 wrote to memory of 3212 5068 rundll32.exe rundll32.exe PID 3212 wrote to memory of 3496 3212 rundll32.exe mssecsvr.exe PID 3212 wrote to memory of 3496 3212 rundll32.exe mssecsvr.exe PID 3212 wrote to memory of 3496 3212 rundll32.exe mssecsvr.exe PID 3496 wrote to memory of 4508 3496 mssecsvr.exe tasksche.exe PID 3496 wrote to memory of 4508 3496 mssecsvr.exe tasksche.exe PID 3496 wrote to memory of 4508 3496 mssecsvr.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9a1768e5531d0852278b95e4d0137977.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9a1768e5531d0852278b95e4d0137977.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4508
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:904
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD5071fc5dc89181e747fda2d9687719b69
SHA17844483273dc0db64e69c2063594d81f84a9b5bd
SHA256d280ce9769d1ed1445e1f7dc9e25d194fe29496d0805438889d1fbcfaaa9280c
SHA512ee6dab69db9b30e3e07587f213d54a64faf5b4fdf7f85dd9fbc72f49d6c845785b3a09b3ff0fea1d5edd28cae9522a30270f9d336e5e46ce802e4b89d333267d
-
C:\WINDOWS\tasksche.exeFilesize
2.0MB
MD578ebac0bca8b8ecdcb7e591f4a72eeb6
SHA12b5df3a69b4a17debf2ab2b2b64a7655734c66d2
SHA256065bafabd37cb31e9fea599e9f9dd56dddd76b772e02d0561dd8d18b8c83cedc
SHA512ee7c82d50d65f32cb55e04413de3ffc1288c3d1db863a18bf6d5d6e9f5f4f441de34c56b561097ec46089eab16a2a4994e759d43fa24898680ad3496022193ea
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD5071fc5dc89181e747fda2d9687719b69
SHA17844483273dc0db64e69c2063594d81f84a9b5bd
SHA256d280ce9769d1ed1445e1f7dc9e25d194fe29496d0805438889d1fbcfaaa9280c
SHA512ee6dab69db9b30e3e07587f213d54a64faf5b4fdf7f85dd9fbc72f49d6c845785b3a09b3ff0fea1d5edd28cae9522a30270f9d336e5e46ce802e4b89d333267d
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD5071fc5dc89181e747fda2d9687719b69
SHA17844483273dc0db64e69c2063594d81f84a9b5bd
SHA256d280ce9769d1ed1445e1f7dc9e25d194fe29496d0805438889d1fbcfaaa9280c
SHA512ee6dab69db9b30e3e07587f213d54a64faf5b4fdf7f85dd9fbc72f49d6c845785b3a09b3ff0fea1d5edd28cae9522a30270f9d336e5e46ce802e4b89d333267d
-
C:\Windows\tasksche.exeFilesize
2.0MB
MD578ebac0bca8b8ecdcb7e591f4a72eeb6
SHA12b5df3a69b4a17debf2ab2b2b64a7655734c66d2
SHA256065bafabd37cb31e9fea599e9f9dd56dddd76b772e02d0561dd8d18b8c83cedc
SHA512ee7c82d50d65f32cb55e04413de3ffc1288c3d1db863a18bf6d5d6e9f5f4f441de34c56b561097ec46089eab16a2a4994e759d43fa24898680ad3496022193ea
-
memory/3212-130-0x0000000000000000-mapping.dmp
-
memory/3496-131-0x0000000000000000-mapping.dmp
-
memory/4508-135-0x0000000000000000-mapping.dmp