Analysis
-
max time kernel
153s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:08
Static task
static1
Behavioral task
behavioral1
Sample
24ad1977f214cd1c59c4f3139cb4acf6.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
24ad1977f214cd1c59c4f3139cb4acf6.dll
Resource
win10v2004-20220718-en
General
-
Target
24ad1977f214cd1c59c4f3139cb4acf6.dll
-
Size
5.0MB
-
MD5
24ad1977f214cd1c59c4f3139cb4acf6
-
SHA1
6dc758c9ab7ffd729eb03ab37e6be8c200997398
-
SHA256
5e1ed6dce864564ca3e35e411a9ac6573d649313f5fbb388bbbaba0ee65b8c34
-
SHA512
8c06ca0ed666b8814286b26509d025c5fdaadb271295cd220f568a2aceb8240b8723b6913a8344d1d89f9d8d67cc0b2ab1b849e67c998d330b9be910cad2628b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3092) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4148 mssecsvc.exe 4940 mssecsvc.exe 3388 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4844 wrote to memory of 4412 4844 rundll32.exe rundll32.exe PID 4844 wrote to memory of 4412 4844 rundll32.exe rundll32.exe PID 4844 wrote to memory of 4412 4844 rundll32.exe rundll32.exe PID 4412 wrote to memory of 4148 4412 rundll32.exe mssecsvc.exe PID 4412 wrote to memory of 4148 4412 rundll32.exe mssecsvc.exe PID 4412 wrote to memory of 4148 4412 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24ad1977f214cd1c59c4f3139cb4acf6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24ad1977f214cd1c59c4f3139cb4acf6.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3388
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5323ac2851e6d5cc9a2cc17cb12297f09
SHA129d91ff2102a80190921642ab8380b6387565b44
SHA2568db80d15b93b34bd34dbb808af6d1a28f1f6b44eca6187c62a1e3ac3fd36a7ff
SHA512a9f738d027d7641619a27dda44ab26d23a1d318850db077ae5b2b6370ab48c3007477f8928b9fa0a5ca09d9312abd99063b69d08964ea56d655a636dbb267e42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5323ac2851e6d5cc9a2cc17cb12297f09
SHA129d91ff2102a80190921642ab8380b6387565b44
SHA2568db80d15b93b34bd34dbb808af6d1a28f1f6b44eca6187c62a1e3ac3fd36a7ff
SHA512a9f738d027d7641619a27dda44ab26d23a1d318850db077ae5b2b6370ab48c3007477f8928b9fa0a5ca09d9312abd99063b69d08964ea56d655a636dbb267e42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5323ac2851e6d5cc9a2cc17cb12297f09
SHA129d91ff2102a80190921642ab8380b6387565b44
SHA2568db80d15b93b34bd34dbb808af6d1a28f1f6b44eca6187c62a1e3ac3fd36a7ff
SHA512a9f738d027d7641619a27dda44ab26d23a1d318850db077ae5b2b6370ab48c3007477f8928b9fa0a5ca09d9312abd99063b69d08964ea56d655a636dbb267e42
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5348ae3f6c0c9791f80c2d323dcfb4766
SHA11e44f5909ad6a0fa8efcdf7bcfcf827f59250638
SHA25668d05985a480d90e74a4fd2f189b8b78b8fd8432226d24b553695aff751e2018
SHA512af5a2b157c7637bd8e4a0accd800355c354ddf347d7ce3e1c13363178d2a75ccf4ac588a1f44f7a475d1e207961bd0d6fa640e847852315a6681fab4ae070ae1
-
memory/4148-131-0x0000000000000000-mapping.dmp
-
memory/4412-130-0x0000000000000000-mapping.dmp