Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:34
Static task
static1
Behavioral task
behavioral1
Sample
2dec2553068c0e7f3a4506bf410260ad.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
2dec2553068c0e7f3a4506bf410260ad.dll
Resource
win10v2004-20220414-en
General
-
Target
2dec2553068c0e7f3a4506bf410260ad.dll
-
Size
5.0MB
-
MD5
2dec2553068c0e7f3a4506bf410260ad
-
SHA1
5970b85c06cbadf33567b1c05bc650e4a5978b31
-
SHA256
f3422d64bb63fb12ffb95cee19fa02f14c83d7bffdfa443eb6a0c460da70d8dd
-
SHA512
294811fc7352fc94a06bcd25e1cae2e2682ceddb633211ee156fa088c6dff727fa092cdde113bbbcb6cb24926b197f1eddd1974f49eb7e090e7e2eab1b073d8b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3123) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2316 mssecsvc.exe 4660 mssecsvc.exe 4596 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4100 wrote to memory of 3136 4100 rundll32.exe rundll32.exe PID 4100 wrote to memory of 3136 4100 rundll32.exe rundll32.exe PID 4100 wrote to memory of 3136 4100 rundll32.exe rundll32.exe PID 3136 wrote to memory of 2316 3136 rundll32.exe mssecsvc.exe PID 3136 wrote to memory of 2316 3136 rundll32.exe mssecsvc.exe PID 3136 wrote to memory of 2316 3136 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2dec2553068c0e7f3a4506bf410260ad.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2dec2553068c0e7f3a4506bf410260ad.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2316 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4596
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4660
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5df432148530b9908d656f1bd759fbf2d
SHA15011840074ed8bc8c4085e76dc4eb5afc3f13024
SHA2569ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d
SHA5126fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5df432148530b9908d656f1bd759fbf2d
SHA15011840074ed8bc8c4085e76dc4eb5afc3f13024
SHA2569ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d
SHA5126fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5df432148530b9908d656f1bd759fbf2d
SHA15011840074ed8bc8c4085e76dc4eb5afc3f13024
SHA2569ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d
SHA5126fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD576d06d2096fe49ac97c2bf21709bbba4
SHA1a7df08006ceafb441271c615c2e1d67218ba81a1
SHA256945f2bb56bfef539d0404194bb7a7ac1f79b2307c33c8b196078c7b16bba098c
SHA512b29a68783506989f55eaf6bf160ab285f4579e62e8ca01ad9ef3f4cfd460832a703641a52332a4880b3f8e5d5a63cde897776dd2756b9b9e930280e8dcfd0031
-
memory/2316-131-0x0000000000000000-mapping.dmp
-
memory/3136-130-0x0000000000000000-mapping.dmp