Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:35
Static task
static1
Behavioral task
behavioral1
Sample
acb0a02446bbf730fcf89fdd403497f5.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
acb0a02446bbf730fcf89fdd403497f5.dll
Resource
win10v2004-20220414-en
General
-
Target
acb0a02446bbf730fcf89fdd403497f5.dll
-
Size
5.0MB
-
MD5
acb0a02446bbf730fcf89fdd403497f5
-
SHA1
8ec4f36c98ba976ba397edb0fc09aa61c4786271
-
SHA256
1618f3bb469668ff51dfcd2e302c866a424d3fe17eb49159934e85421a3a6668
-
SHA512
438dd76212fa83d26b92d5bd18dd69aba72cf759598b86fa4d126a37e8cab6e7fa4d90981e8c43cbffff6f8f8ee5352d9bb5c5f741999b095493b1a25214e7f5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3136) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 3120 mssecsvc.exe 3128 mssecsvc.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2304 wrote to memory of 4356 2304 rundll32.exe rundll32.exe PID 2304 wrote to memory of 4356 2304 rundll32.exe rundll32.exe PID 2304 wrote to memory of 4356 2304 rundll32.exe rundll32.exe PID 4356 wrote to memory of 3120 4356 rundll32.exe mssecsvc.exe PID 4356 wrote to memory of 3120 4356 rundll32.exe mssecsvc.exe PID 4356 wrote to memory of 3120 4356 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\acb0a02446bbf730fcf89fdd403497f5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\acb0a02446bbf730fcf89fdd403497f5.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3120
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3128
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5f0aedaae90762d7baf6892ddf21123dc
SHA170d031c8403c118d157b1ab7f474b8b01441d789
SHA2565b86466316cbe584fb86aa186ef2a06d40c2f6b9f58c5b69aa64aac8cab1f7a0
SHA51206cab9760a98ed58ad3d298fde8955307c83338d5f7fc9793e599afbb71e0f74e4f2ed39474d8376d710dc3660c3cce2677cbf95569410897f79b9e771330bf8
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f0aedaae90762d7baf6892ddf21123dc
SHA170d031c8403c118d157b1ab7f474b8b01441d789
SHA2565b86466316cbe584fb86aa186ef2a06d40c2f6b9f58c5b69aa64aac8cab1f7a0
SHA51206cab9760a98ed58ad3d298fde8955307c83338d5f7fc9793e599afbb71e0f74e4f2ed39474d8376d710dc3660c3cce2677cbf95569410897f79b9e771330bf8
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f0aedaae90762d7baf6892ddf21123dc
SHA170d031c8403c118d157b1ab7f474b8b01441d789
SHA2565b86466316cbe584fb86aa186ef2a06d40c2f6b9f58c5b69aa64aac8cab1f7a0
SHA51206cab9760a98ed58ad3d298fde8955307c83338d5f7fc9793e599afbb71e0f74e4f2ed39474d8376d710dc3660c3cce2677cbf95569410897f79b9e771330bf8
-
memory/3120-131-0x0000000000000000-mapping.dmp
-
memory/4356-130-0x0000000000000000-mapping.dmp