Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:30
Static task
static1
Behavioral task
behavioral1
Sample
1d6d94d464f5c412a46cc627d0b6e460.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
1d6d94d464f5c412a46cc627d0b6e460.dll
Resource
win10v2004-20220718-en
General
-
Target
1d6d94d464f5c412a46cc627d0b6e460.dll
-
Size
5.0MB
-
MD5
1d6d94d464f5c412a46cc627d0b6e460
-
SHA1
c6eb8e052cbd38a14b205ef027c06bb4a66680b4
-
SHA256
50ce21338b3fc1588a96cedc45b27f9019cdfef4348f808ac7bda1d555783a5d
-
SHA512
441ef97b91f74c3fb35e36a836e57893390f3768d9089c763b4175fa2f728596fa37353023c47a96bb286e39d88a0014849534b5e1d93c33605ea45c80aa2826
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3228) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 1588 mssecsvr.exe 1864 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1368 wrote to memory of 1476 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 1476 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 1476 1368 rundll32.exe rundll32.exe PID 1476 wrote to memory of 1588 1476 rundll32.exe mssecsvr.exe PID 1476 wrote to memory of 1588 1476 rundll32.exe mssecsvr.exe PID 1476 wrote to memory of 1588 1476 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d6d94d464f5c412a46cc627d0b6e460.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d6d94d464f5c412a46cc627d0b6e460.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1588
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1864
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD54291e4b98cb467e9515b55fcae20f939
SHA199e179a5ded29b5ea6e8874c36c9c66131d347bc
SHA2560929d063bd600a32c876ed136ad58d93bf4fe665f497457bbf7472c62dc8b539
SHA512f9173584f45ddeefa0ab80d2e743eb8ddff1ddd4ccb05937a02b2adb8324f4f39b9185acc93b4b15042efce2ebe3e413b347368f5a1085432b57b05ffb30b90b
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD54291e4b98cb467e9515b55fcae20f939
SHA199e179a5ded29b5ea6e8874c36c9c66131d347bc
SHA2560929d063bd600a32c876ed136ad58d93bf4fe665f497457bbf7472c62dc8b539
SHA512f9173584f45ddeefa0ab80d2e743eb8ddff1ddd4ccb05937a02b2adb8324f4f39b9185acc93b4b15042efce2ebe3e413b347368f5a1085432b57b05ffb30b90b
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD54291e4b98cb467e9515b55fcae20f939
SHA199e179a5ded29b5ea6e8874c36c9c66131d347bc
SHA2560929d063bd600a32c876ed136ad58d93bf4fe665f497457bbf7472c62dc8b539
SHA512f9173584f45ddeefa0ab80d2e743eb8ddff1ddd4ccb05937a02b2adb8324f4f39b9185acc93b4b15042efce2ebe3e413b347368f5a1085432b57b05ffb30b90b
-
memory/1476-130-0x0000000000000000-mapping.dmp
-
memory/1588-131-0x0000000000000000-mapping.dmp