Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:31
Static task
static1
Behavioral task
behavioral1
Sample
ad65486cebee6dda778e78b81d2459c3.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
ad65486cebee6dda778e78b81d2459c3.dll
Resource
win10v2004-20220414-en
General
-
Target
ad65486cebee6dda778e78b81d2459c3.dll
-
Size
5.0MB
-
MD5
ad65486cebee6dda778e78b81d2459c3
-
SHA1
02f70e13c0ca6b9f0f53d7ae280ead8b5a598fab
-
SHA256
590b02828092f489ddb0c6c8a6296a65ec5f5413f7e7937c69d19e872bae8d72
-
SHA512
56ca9918ba5173141f380b82c51649f0d6f5e73f8aa1a4e50edaaa037d5e78043466a069784cbfbfa348cf72b3137587fb720efc01a624df2c664f0aa2c4f597
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3089) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 1224 mssecsvr.exe 4424 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2400 wrote to memory of 5012 2400 rundll32.exe rundll32.exe PID 2400 wrote to memory of 5012 2400 rundll32.exe rundll32.exe PID 2400 wrote to memory of 5012 2400 rundll32.exe rundll32.exe PID 5012 wrote to memory of 1224 5012 rundll32.exe mssecsvr.exe PID 5012 wrote to memory of 1224 5012 rundll32.exe mssecsvr.exe PID 5012 wrote to memory of 1224 5012 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad65486cebee6dda778e78b81d2459c3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad65486cebee6dda778e78b81d2459c3.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1224
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4424
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD53d1978e9d13438c38762afab1ed939d9
SHA1f66c43ae37c0a29f1eebaba7d7a441ca0d13ecc3
SHA256c7c94b419322769cfb99ec20b1a6263b226d32c452398a7bcb93001ead9fecc1
SHA512edf548442435e7bae8a39daf9db6ac0037ac22bb39a03b09b03cdcd4677350f13726e93a0026184ab46a681890225c409a8497473d6229f3ed53941ad5979a1c
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD53d1978e9d13438c38762afab1ed939d9
SHA1f66c43ae37c0a29f1eebaba7d7a441ca0d13ecc3
SHA256c7c94b419322769cfb99ec20b1a6263b226d32c452398a7bcb93001ead9fecc1
SHA512edf548442435e7bae8a39daf9db6ac0037ac22bb39a03b09b03cdcd4677350f13726e93a0026184ab46a681890225c409a8497473d6229f3ed53941ad5979a1c
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD53d1978e9d13438c38762afab1ed939d9
SHA1f66c43ae37c0a29f1eebaba7d7a441ca0d13ecc3
SHA256c7c94b419322769cfb99ec20b1a6263b226d32c452398a7bcb93001ead9fecc1
SHA512edf548442435e7bae8a39daf9db6ac0037ac22bb39a03b09b03cdcd4677350f13726e93a0026184ab46a681890225c409a8497473d6229f3ed53941ad5979a1c
-
memory/1224-131-0x0000000000000000-mapping.dmp
-
memory/5012-130-0x0000000000000000-mapping.dmp