Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:13
Static task
static1
Behavioral task
behavioral1
Sample
937d1c7c2a656bccc8a115f445b166db.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
937d1c7c2a656bccc8a115f445b166db.dll
Resource
win10v2004-20220414-en
General
-
Target
937d1c7c2a656bccc8a115f445b166db.dll
-
Size
5.0MB
-
MD5
937d1c7c2a656bccc8a115f445b166db
-
SHA1
a20b4e933772ca65117992bdd60220726e9d545a
-
SHA256
039b32d60d25dea0656c75fcc4017898a780560966b3a2915ca0e0c4220d4431
-
SHA512
cbeea4b9e06c90514da3a98f7c16a72144ca93ec3b4bbd7a01c7a4bf181868803aeb5dd221698e8493f671fbaf1690ecc2543b85e2272bf83753b70bd124c610
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5056 mssecsvc.exe 884 mssecsvc.exe 4412 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5104 wrote to memory of 3944 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 3944 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 3944 5104 rundll32.exe rundll32.exe PID 3944 wrote to memory of 5056 3944 rundll32.exe mssecsvc.exe PID 3944 wrote to memory of 5056 3944 rundll32.exe mssecsvc.exe PID 3944 wrote to memory of 5056 3944 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\937d1c7c2a656bccc8a115f445b166db.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\937d1c7c2a656bccc8a115f445b166db.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5056 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4412
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:884
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e0c388c78e52ae9f5b9e15d044574358
SHA1de2ed045caa3a4840bfcfe3e1aaf3ffe68e5c477
SHA25601c0478b33a0ef1ec2e9d8c438ab3a61f0ebe037b152dca37f45a8d39aad3db3
SHA51292f6ceddd66f069c9c99cb195435dd3fff8aed2baf2f4f6ab37728cda5d51a11c376a1c73d40ab39fb47cd96630673dae4aee85b900a3f7228716b28908d8068
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e0c388c78e52ae9f5b9e15d044574358
SHA1de2ed045caa3a4840bfcfe3e1aaf3ffe68e5c477
SHA25601c0478b33a0ef1ec2e9d8c438ab3a61f0ebe037b152dca37f45a8d39aad3db3
SHA51292f6ceddd66f069c9c99cb195435dd3fff8aed2baf2f4f6ab37728cda5d51a11c376a1c73d40ab39fb47cd96630673dae4aee85b900a3f7228716b28908d8068
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e0c388c78e52ae9f5b9e15d044574358
SHA1de2ed045caa3a4840bfcfe3e1aaf3ffe68e5c477
SHA25601c0478b33a0ef1ec2e9d8c438ab3a61f0ebe037b152dca37f45a8d39aad3db3
SHA51292f6ceddd66f069c9c99cb195435dd3fff8aed2baf2f4f6ab37728cda5d51a11c376a1c73d40ab39fb47cd96630673dae4aee85b900a3f7228716b28908d8068
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ab4c6ef5625fcc194fdfa6e760eab2c8
SHA1eea52215e31b7ce34e8ddc0f90e5d73f66c9fee8
SHA256abfdb4a7d6e4cfe9a15e4e998b1b1c2adbfa388c94c1c7f696c1a15368446f88
SHA512ff4bb15aaeb4449538c4bc8adbadc67a4aa6e59872bec1aa786b91b3b851607f7a6f961b820f70192b7c34cda4c00e916569e7f6abb52d7aea064b1aa78558c9
-
memory/3944-130-0x0000000000000000-mapping.dmp
-
memory/5056-131-0x0000000000000000-mapping.dmp