Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:22
Static task
static1
Behavioral task
behavioral1
Sample
ccd380345bade422de99c1adbdc7e8e3.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ccd380345bade422de99c1adbdc7e8e3.dll
Resource
win10v2004-20220414-en
General
-
Target
ccd380345bade422de99c1adbdc7e8e3.dll
-
Size
5.0MB
-
MD5
ccd380345bade422de99c1adbdc7e8e3
-
SHA1
2a97a2fd1aadfca754fa7d020446545f40e2badb
-
SHA256
8c1ef884611f42e99c832194d6d1d446c0a99cf8070e556e6b15204327cf3d84
-
SHA512
cafd828eff12804eb009b56235ad6b9831e251f6560a21a4ca78cafb61333a1be4967bba8daa40b467d1176cc39ec6198a0ff8c18e7e70e36723e76a885ddeea
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3208) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2080 mssecsvc.exe 4608 mssecsvc.exe 1040 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3172 wrote to memory of 4144 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 4144 3172 rundll32.exe rundll32.exe PID 3172 wrote to memory of 4144 3172 rundll32.exe rundll32.exe PID 4144 wrote to memory of 2080 4144 rundll32.exe mssecsvc.exe PID 4144 wrote to memory of 2080 4144 rundll32.exe mssecsvc.exe PID 4144 wrote to memory of 2080 4144 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ccd380345bade422de99c1adbdc7e8e3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ccd380345bade422de99c1adbdc7e8e3.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2080 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1040
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4608
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a7907fb78b57067e2fa968adb6ce398b
SHA15d2d4a0ba8b560c738792b5f83a15e44135c89d8
SHA256c1e6c5b5428ac1ca5fce455cf500175b10197ba9847ceb75801f18b9c8b85d9a
SHA51276f048c1ed3f6d28d3bb664797eb26697cc4b48de0206e628dc260eb7f943082b96845c56078c8bbd4f0e12e7cc87461f2062f1689aa9044c94105f1fba681f8
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a7907fb78b57067e2fa968adb6ce398b
SHA15d2d4a0ba8b560c738792b5f83a15e44135c89d8
SHA256c1e6c5b5428ac1ca5fce455cf500175b10197ba9847ceb75801f18b9c8b85d9a
SHA51276f048c1ed3f6d28d3bb664797eb26697cc4b48de0206e628dc260eb7f943082b96845c56078c8bbd4f0e12e7cc87461f2062f1689aa9044c94105f1fba681f8
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a7907fb78b57067e2fa968adb6ce398b
SHA15d2d4a0ba8b560c738792b5f83a15e44135c89d8
SHA256c1e6c5b5428ac1ca5fce455cf500175b10197ba9847ceb75801f18b9c8b85d9a
SHA51276f048c1ed3f6d28d3bb664797eb26697cc4b48de0206e628dc260eb7f943082b96845c56078c8bbd4f0e12e7cc87461f2062f1689aa9044c94105f1fba681f8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ebdcc5c657343f17afc85c7265a6a4b1
SHA1d3765b19562232788ba9af0d61f966a8c86f907d
SHA2565d8ca63aa31550c3b1d45db0e6743d466ff16e378801677d9b1d31e6c2da5ab8
SHA51243e7cd793d1b362fdab7107446fc5cd80370e195451aabce6fb442bc981cac5566e4dbc4d4140e97d6f5d148255fafc3c48cf605bd2c3fe829ab369b49b53c7c
-
memory/2080-131-0x0000000000000000-mapping.dmp
-
memory/4144-130-0x0000000000000000-mapping.dmp