Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:10
Static task
static1
Behavioral task
behavioral1
Sample
46f3bf3c094bc3fb9eb27f29bb4abb4f.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
46f3bf3c094bc3fb9eb27f29bb4abb4f.dll
Resource
win10v2004-20220718-en
General
-
Target
46f3bf3c094bc3fb9eb27f29bb4abb4f.dll
-
Size
5.0MB
-
MD5
46f3bf3c094bc3fb9eb27f29bb4abb4f
-
SHA1
1c9c0306803fec08347632c71fc8764070999eee
-
SHA256
f4048bacc029767ce323bdf41326c012bed6be87e9a371a9af116e189692db85
-
SHA512
3588fac826f716beda85fa369afa5032b66bce02a487b25b0cfe7b93ddc827d3acd91a72f960dd19434a2552a904559e05bc4bd611748dc55b0473d49e5a4cdd
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4232 mssecsvc.exe 4300 mssecsvc.exe 2080 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1328 wrote to memory of 5100 1328 rundll32.exe rundll32.exe PID 1328 wrote to memory of 5100 1328 rundll32.exe rundll32.exe PID 1328 wrote to memory of 5100 1328 rundll32.exe rundll32.exe PID 5100 wrote to memory of 4232 5100 rundll32.exe mssecsvc.exe PID 5100 wrote to memory of 4232 5100 rundll32.exe mssecsvc.exe PID 5100 wrote to memory of 4232 5100 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46f3bf3c094bc3fb9eb27f29bb4abb4f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46f3bf3c094bc3fb9eb27f29bb4abb4f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4232 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2080
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4300
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a28af5c377074147c1a096825ec02300
SHA1f62139232de0eb59a94309613c14ca9b850a7552
SHA256d251254dfe8fbf16edfd6b08d7c55a7cce56b906c9f397ddb9078a8b616ec9c1
SHA5125a45a35835801f7df1ac6803fac390156d2b34ac1da80c190317377d8274c57c52f2e3df8f01358004c7d433ce1472750c98b188463c7774551033703f9b5a5a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a28af5c377074147c1a096825ec02300
SHA1f62139232de0eb59a94309613c14ca9b850a7552
SHA256d251254dfe8fbf16edfd6b08d7c55a7cce56b906c9f397ddb9078a8b616ec9c1
SHA5125a45a35835801f7df1ac6803fac390156d2b34ac1da80c190317377d8274c57c52f2e3df8f01358004c7d433ce1472750c98b188463c7774551033703f9b5a5a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a28af5c377074147c1a096825ec02300
SHA1f62139232de0eb59a94309613c14ca9b850a7552
SHA256d251254dfe8fbf16edfd6b08d7c55a7cce56b906c9f397ddb9078a8b616ec9c1
SHA5125a45a35835801f7df1ac6803fac390156d2b34ac1da80c190317377d8274c57c52f2e3df8f01358004c7d433ce1472750c98b188463c7774551033703f9b5a5a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b91e13ab73037ff6d8fa366c15a71e0c
SHA16a3c91726bbabbdd7be906dd5043109b57168fac
SHA2561ba99c726653eac71595e3faea3dbdec63dcb05c7619d396ef730ac46e166d31
SHA5124cacf5005c3ccf4f483c04d65e451b13549766d9c87cd83024852df259c6455aae1f3530ebfde57f6c83ffd55f568baf746195269863c8894e339382a13bd269
-
memory/4232-131-0x0000000000000000-mapping.dmp
-
memory/5100-130-0x0000000000000000-mapping.dmp