Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:33
Static task
static1
Behavioral task
behavioral1
Sample
63c573c0e2eb59009ef97da2ecf73f0e.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
63c573c0e2eb59009ef97da2ecf73f0e.dll
Resource
win10v2004-20220718-en
General
-
Target
63c573c0e2eb59009ef97da2ecf73f0e.dll
-
Size
5.0MB
-
MD5
63c573c0e2eb59009ef97da2ecf73f0e
-
SHA1
37190dc39e54b87cf0447baf3586f46e44b0f25f
-
SHA256
aec918fc5527c8960921c04c7abbcf3aadcb5d8f0aa6862c6d6be68e28771a68
-
SHA512
4dc76ecac022bda0dd76cab6e1bbf6774663be1a19d120c13e45ce80c07ef8091c2126d1c341fe87da2d32a7ed0c05afbdfca25f8503d95c653bacaa14be2055
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3321) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3372 mssecsvc.exe 2864 mssecsvc.exe 4120 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3516 wrote to memory of 1540 3516 rundll32.exe rundll32.exe PID 3516 wrote to memory of 1540 3516 rundll32.exe rundll32.exe PID 3516 wrote to memory of 1540 3516 rundll32.exe rundll32.exe PID 1540 wrote to memory of 3372 1540 rundll32.exe mssecsvc.exe PID 1540 wrote to memory of 3372 1540 rundll32.exe mssecsvc.exe PID 1540 wrote to memory of 3372 1540 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63c573c0e2eb59009ef97da2ecf73f0e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63c573c0e2eb59009ef97da2ecf73f0e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5831d52f31a6a17f83e537cd88fb7cb45
SHA1a0438282a960785beec3d9883b30f52096d15fd5
SHA2567c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914
SHA5122abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5831d52f31a6a17f83e537cd88fb7cb45
SHA1a0438282a960785beec3d9883b30f52096d15fd5
SHA2567c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914
SHA5122abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5831d52f31a6a17f83e537cd88fb7cb45
SHA1a0438282a960785beec3d9883b30f52096d15fd5
SHA2567c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914
SHA5122abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD535b29eb65b8155ffddce5b739c464334
SHA12ee26d2ffae3d9c7e22fdca9ceba8224104a76da
SHA256ce57ff23fb05e36a1633a8952a3c9a660883b8a7783c5ca17cf448a6b9d94209
SHA512543d399ea56484a085392c1ece2ccfaad6011980d088038aa320adc1e969b958722250849f7e15f9da8c1ee8bf7ece0763d746c998f9fc6068f732fbf4eab392
-
memory/1540-130-0x0000000000000000-mapping.dmp
-
memory/3372-131-0x0000000000000000-mapping.dmp