Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
150ee2d0b2e6a3c56b572b9783de32fd.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
150ee2d0b2e6a3c56b572b9783de32fd.dll
Resource
win10v2004-20220718-en
General
-
Target
150ee2d0b2e6a3c56b572b9783de32fd.dll
-
Size
5.0MB
-
MD5
150ee2d0b2e6a3c56b572b9783de32fd
-
SHA1
fff045f439705954979fd84265e7d9cfba2947ec
-
SHA256
97bcff11001a7c764cb7e533f3e25880e50039f79d41feeede35944ba251b4d4
-
SHA512
a1a45a461a0c8a2a8421626fa6ae782e3bf7d419fb8c92a071ee76114247ccdbc5c401900955a596eb8cc58fa71a0de11b4a7557e119bc0086b4252f2fe4f487
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3164) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4556 mssecsvc.exe 2188 mssecsvc.exe 4840 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3120 wrote to memory of 3924 3120 rundll32.exe rundll32.exe PID 3120 wrote to memory of 3924 3120 rundll32.exe rundll32.exe PID 3120 wrote to memory of 3924 3120 rundll32.exe rundll32.exe PID 3924 wrote to memory of 4556 3924 rundll32.exe mssecsvc.exe PID 3924 wrote to memory of 4556 3924 rundll32.exe mssecsvc.exe PID 3924 wrote to memory of 4556 3924 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\150ee2d0b2e6a3c56b572b9783de32fd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\150ee2d0b2e6a3c56b572b9783de32fd.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4556 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4840
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e8f15b2e6f0f9aa17464487ecb8c3939
SHA155ca67d41ad820326aa1cb4aa4780619654eb585
SHA25643f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f
SHA5128717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e8f15b2e6f0f9aa17464487ecb8c3939
SHA155ca67d41ad820326aa1cb4aa4780619654eb585
SHA25643f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f
SHA5128717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e8f15b2e6f0f9aa17464487ecb8c3939
SHA155ca67d41ad820326aa1cb4aa4780619654eb585
SHA25643f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f
SHA5128717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50ac08ee38e7d39ee7e3d90f573ad5d8f
SHA19e59f5beec0f2fedc275b6d7a9a60315d48e2cde
SHA256d02a2876429e039e08b74fd02007803343fa2b1f284b2674319d4286fb9ec20d
SHA512088ffba0dcaa89a81f01cccebd87755d152fbc43e702ac69325953ea5701894d77922e46a4e7c857b9a5aa2cbdfc4a42624075b926e4e8339f6d9400e522ea04
-
memory/3924-130-0x0000000000000000-mapping.dmp
-
memory/4556-131-0x0000000000000000-mapping.dmp