Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:12
Static task
static1
Behavioral task
behavioral1
Sample
adc8f2156c4945882116b8516359cc67.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
adc8f2156c4945882116b8516359cc67.dll
Resource
win10v2004-20220414-en
General
-
Target
adc8f2156c4945882116b8516359cc67.dll
-
Size
5.0MB
-
MD5
adc8f2156c4945882116b8516359cc67
-
SHA1
ba6e3dd3516b3d8a6742879fb7e86e6218a0cfcb
-
SHA256
f2296230172c19e908b726e85bd9ac069f0b786718a28e066482dae2261ef5c2
-
SHA512
a1530ab0cbc5ace2c7c870d461f7f23208d49af5ad47b483a9d0cf0a5fb2f36b99b7ddec42f8268a0b9505428b328c78c653665c304a30864d2c1e34c431599e
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3102) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4136 mssecsvc.exe 4336 mssecsvc.exe 4960 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4900 wrote to memory of 4552 4900 rundll32.exe rundll32.exe PID 4900 wrote to memory of 4552 4900 rundll32.exe rundll32.exe PID 4900 wrote to memory of 4552 4900 rundll32.exe rundll32.exe PID 4552 wrote to memory of 4136 4552 rundll32.exe mssecsvc.exe PID 4552 wrote to memory of 4136 4552 rundll32.exe mssecsvc.exe PID 4552 wrote to memory of 4136 4552 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adc8f2156c4945882116b8516359cc67.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adc8f2156c4945882116b8516359cc67.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4136 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4960
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4336
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5136b7c839471d10ae0debb739942f0df
SHA1093046c7668fac352cc56ed12ae31b11d7867bca
SHA256e6e69274e8c529f3030d269176c1ba3e8a4aaec75d096527034e1c0ce13f42af
SHA512f7dbaedaf65ead6760f88d3261c4b12e19cdfdf000d3166fc4f2d7893812590d791a4156ff0f04d341a82d87a793a1b88263c0466805d7685943729367cb3a52
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5136b7c839471d10ae0debb739942f0df
SHA1093046c7668fac352cc56ed12ae31b11d7867bca
SHA256e6e69274e8c529f3030d269176c1ba3e8a4aaec75d096527034e1c0ce13f42af
SHA512f7dbaedaf65ead6760f88d3261c4b12e19cdfdf000d3166fc4f2d7893812590d791a4156ff0f04d341a82d87a793a1b88263c0466805d7685943729367cb3a52
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5136b7c839471d10ae0debb739942f0df
SHA1093046c7668fac352cc56ed12ae31b11d7867bca
SHA256e6e69274e8c529f3030d269176c1ba3e8a4aaec75d096527034e1c0ce13f42af
SHA512f7dbaedaf65ead6760f88d3261c4b12e19cdfdf000d3166fc4f2d7893812590d791a4156ff0f04d341a82d87a793a1b88263c0466805d7685943729367cb3a52
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5bfc5f9eab42f5010e039428a94783a2e
SHA1d31d04474563147baba604abe22464234e31d5f9
SHA256e5d5ffd0541d6504813b480bb30ec072c58db2feeaad2cf8925a125e399341b6
SHA512f4ae0f31a9cfc70da17833321e6726093e58ee29e4380b1af2ea265ba80cd99bbacfc221a01e978c8c99c28eb8035609a80f502a371c93ab7921737f1bf2736c
-
memory/4136-131-0x0000000000000000-mapping.dmp
-
memory/4552-130-0x0000000000000000-mapping.dmp