Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:03
Static task
static1
Behavioral task
behavioral1
Sample
7835ea6ac1cd6702bb50ea57fd598716.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
7835ea6ac1cd6702bb50ea57fd598716.dll
Resource
win10v2004-20220718-en
General
-
Target
7835ea6ac1cd6702bb50ea57fd598716.dll
-
Size
5.0MB
-
MD5
7835ea6ac1cd6702bb50ea57fd598716
-
SHA1
36aea0d627d0d7d2ee8d4d1ca931d4ea8cf290d8
-
SHA256
580f6e9fdbfd5f1fbb439573dd21ef1b56ce227f66ad3c8364c3c553a04e6686
-
SHA512
7feb8ea65efa5c9924ef17672880d31cc652d878e49ad3da3a4c29b4b79685e1d328072a9d32d6d2a7e3b734e2f3b231e287b7254e4d3d8ba020c9f2a556388f
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3211) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 3996 mssecsvc.exe 4568 mssecsvc.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4268 wrote to memory of 816 4268 rundll32.exe rundll32.exe PID 4268 wrote to memory of 816 4268 rundll32.exe rundll32.exe PID 4268 wrote to memory of 816 4268 rundll32.exe rundll32.exe PID 816 wrote to memory of 3996 816 rundll32.exe mssecsvc.exe PID 816 wrote to memory of 3996 816 rundll32.exe mssecsvc.exe PID 816 wrote to memory of 3996 816 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7835ea6ac1cd6702bb50ea57fd598716.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7835ea6ac1cd6702bb50ea57fd598716.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:816 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3996
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4568
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD522550629ee04ba197cc47236edd51a24
SHA1238f14a6f1fbfc1340e22bf01590dc4fd7686d04
SHA256084088b524fdde60e4d46aa68714c095bc80a1134bfa6f613beccc7c332451ed
SHA5129575fb1e07f631fb3856884e737a44733bfc71e0d1cc36bf6e09208addd286d2bf35dcbe063142c947ea87d5995ca5b1a423cfaa5dff6e6e5711a86f914ff88b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD522550629ee04ba197cc47236edd51a24
SHA1238f14a6f1fbfc1340e22bf01590dc4fd7686d04
SHA256084088b524fdde60e4d46aa68714c095bc80a1134bfa6f613beccc7c332451ed
SHA5129575fb1e07f631fb3856884e737a44733bfc71e0d1cc36bf6e09208addd286d2bf35dcbe063142c947ea87d5995ca5b1a423cfaa5dff6e6e5711a86f914ff88b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD522550629ee04ba197cc47236edd51a24
SHA1238f14a6f1fbfc1340e22bf01590dc4fd7686d04
SHA256084088b524fdde60e4d46aa68714c095bc80a1134bfa6f613beccc7c332451ed
SHA5129575fb1e07f631fb3856884e737a44733bfc71e0d1cc36bf6e09208addd286d2bf35dcbe063142c947ea87d5995ca5b1a423cfaa5dff6e6e5711a86f914ff88b
-
memory/816-130-0x0000000000000000-mapping.dmp
-
memory/3996-131-0x0000000000000000-mapping.dmp
-
memory/3996-134-0x0000000000400000-0x0000000000A72000-memory.dmpFilesize
6.4MB
-
memory/3996-137-0x0000000000400000-0x0000000000A72000-memory.dmpFilesize
6.4MB
-
memory/4568-136-0x0000000000400000-0x0000000000A72000-memory.dmpFilesize
6.4MB
-
memory/4568-138-0x0000000000400000-0x0000000000A72000-memory.dmpFilesize
6.4MB