Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:46
Static task
static1
Behavioral task
behavioral1
Sample
425ec08bc3a0a7714579a61c084e8a30.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
425ec08bc3a0a7714579a61c084e8a30.dll
Resource
win10v2004-20220414-en
General
-
Target
425ec08bc3a0a7714579a61c084e8a30.dll
-
Size
5.0MB
-
MD5
425ec08bc3a0a7714579a61c084e8a30
-
SHA1
43f5d8e3c16132d75d4c99499e456ed7dbdfdaff
-
SHA256
40817631c9126d9c6ee51ed0bfae33a33c81c21188384b6f3ccbbf14aeadf272
-
SHA512
8ce530aea61836943f39b83001801b53741eb3f1ca99d7771d04a346f9d55beae8f3238dd1447942055a8d90313709a8375135ba0e73bad0fd7ddabc8ff2b173
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3222) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4140 mssecsvc.exe 4528 mssecsvc.exe 2412 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3316 wrote to memory of 4736 3316 rundll32.exe rundll32.exe PID 3316 wrote to memory of 4736 3316 rundll32.exe rundll32.exe PID 3316 wrote to memory of 4736 3316 rundll32.exe rundll32.exe PID 4736 wrote to memory of 4140 4736 rundll32.exe mssecsvc.exe PID 4736 wrote to memory of 4140 4736 rundll32.exe mssecsvc.exe PID 4736 wrote to memory of 4140 4736 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\425ec08bc3a0a7714579a61c084e8a30.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\425ec08bc3a0a7714579a61c084e8a30.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5fa59dca1f30b69d7ca1fc67daec15615
SHA1edff562e558d0dce41d85c556029d7f616a6b2ce
SHA25640456d7d08610808e636e1059075b258b70195ea209e6385fbcb96e2df93fa56
SHA512fa3d7884d9cd79ed98647a67c8605f66fa0f57096734c5ceb0b5bfdc8ab76271569bb6d68cbe191b10ce6f780967ce738bbdf76aeaf51f3ffbee69ad47276f1b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fa59dca1f30b69d7ca1fc67daec15615
SHA1edff562e558d0dce41d85c556029d7f616a6b2ce
SHA25640456d7d08610808e636e1059075b258b70195ea209e6385fbcb96e2df93fa56
SHA512fa3d7884d9cd79ed98647a67c8605f66fa0f57096734c5ceb0b5bfdc8ab76271569bb6d68cbe191b10ce6f780967ce738bbdf76aeaf51f3ffbee69ad47276f1b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fa59dca1f30b69d7ca1fc67daec15615
SHA1edff562e558d0dce41d85c556029d7f616a6b2ce
SHA25640456d7d08610808e636e1059075b258b70195ea209e6385fbcb96e2df93fa56
SHA512fa3d7884d9cd79ed98647a67c8605f66fa0f57096734c5ceb0b5bfdc8ab76271569bb6d68cbe191b10ce6f780967ce738bbdf76aeaf51f3ffbee69ad47276f1b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fc0195c3fbc9d1ba19811d3c36b2bea4
SHA1d618abf74712f8730fbad1d0988d1c30e1ec036b
SHA2560c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739
SHA51201423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965
-
memory/4140-131-0x0000000000000000-mapping.dmp
-
memory/4736-130-0x0000000000000000-mapping.dmp