Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:04
Static task
static1
Behavioral task
behavioral1
Sample
1f0e54455209d879b8d4a9b06ee00746.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
1f0e54455209d879b8d4a9b06ee00746.dll
Resource
win10v2004-20220718-en
General
-
Target
1f0e54455209d879b8d4a9b06ee00746.dll
-
Size
5.0MB
-
MD5
1f0e54455209d879b8d4a9b06ee00746
-
SHA1
32b59f3433af3d34e9cbf01646981748f7e4a3f4
-
SHA256
0f1516a8c0600c59defcf96c87c27de6a81e732ecb2f64b5e48904c31ab2cbb2
-
SHA512
7610c74439843fff55777ed65e97838bc086c0bec432f701c978c6a84142ede788da5b68ac81534aa327047641df300d780d7fe70ae22ed2c4eff921f00290b7
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 436 mssecsvc.exe 892 mssecsvc.exe 1076 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3448 wrote to memory of 1512 3448 rundll32.exe rundll32.exe PID 3448 wrote to memory of 1512 3448 rundll32.exe rundll32.exe PID 3448 wrote to memory of 1512 3448 rundll32.exe rundll32.exe PID 1512 wrote to memory of 436 1512 rundll32.exe mssecsvc.exe PID 1512 wrote to memory of 436 1512 rundll32.exe mssecsvc.exe PID 1512 wrote to memory of 436 1512 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f0e54455209d879b8d4a9b06ee00746.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f0e54455209d879b8d4a9b06ee00746.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:436 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1076
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:892
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD56e6802d5de74e388e03edb32f550b65a
SHA16900c2c3301601e74c470a24eca2c8665440b3b4
SHA256c2c00613999afec5b573db8e48b699c95c0896341465482a7228d6f17048758f
SHA512a3407cba8a13b5f25bcc61121318b0be21a27f705db69c650f6c56f4d586d59e5d8ebf119ed0d865c02724681c5ca84e9b96cfeb2bdf59b6785780ae49af9179
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56e6802d5de74e388e03edb32f550b65a
SHA16900c2c3301601e74c470a24eca2c8665440b3b4
SHA256c2c00613999afec5b573db8e48b699c95c0896341465482a7228d6f17048758f
SHA512a3407cba8a13b5f25bcc61121318b0be21a27f705db69c650f6c56f4d586d59e5d8ebf119ed0d865c02724681c5ca84e9b96cfeb2bdf59b6785780ae49af9179
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56e6802d5de74e388e03edb32f550b65a
SHA16900c2c3301601e74c470a24eca2c8665440b3b4
SHA256c2c00613999afec5b573db8e48b699c95c0896341465482a7228d6f17048758f
SHA512a3407cba8a13b5f25bcc61121318b0be21a27f705db69c650f6c56f4d586d59e5d8ebf119ed0d865c02724681c5ca84e9b96cfeb2bdf59b6785780ae49af9179
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55ceab4fe5af2e2ef5b6f6fb2bc86642b
SHA13c44e4762302b7b5fcd6f14457fcfb74ff98b2d1
SHA2561741c55afa4bc741abc334324a18f41d626bca8b85d82800d6832430eeb6598c
SHA512d53df9677bd645b1802efd7a93d81e6dad8e5d35969c9f498697dc760c987bc0dedca64db646bc291fe65977b3bcf22c141b37c01245b3f04978f22cb1f0ac03
-
memory/436-131-0x0000000000000000-mapping.dmp
-
memory/1512-130-0x0000000000000000-mapping.dmp