Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:14
Static task
static1
Behavioral task
behavioral1
Sample
1db8a92bfdf04eefe5e3a03c6f10d4a0.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
1db8a92bfdf04eefe5e3a03c6f10d4a0.dll
Resource
win10v2004-20220718-en
General
-
Target
1db8a92bfdf04eefe5e3a03c6f10d4a0.dll
-
Size
5.0MB
-
MD5
1db8a92bfdf04eefe5e3a03c6f10d4a0
-
SHA1
a4c4f2cee7865dad9b589c9767884f6fd244139f
-
SHA256
7693af2f8fc81803bbe1b70d1e961fc6e4bcd6ac5388df003d0996d5f16fc312
-
SHA512
1d04ceb7775f99f383ebf81b54ea2132d6c1e0ee9947730792232d7a085711c84d5456b06320f705567dfc5dd4c6e306289caf2f3efe1dd18326c661b93f9f44
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2276 mssecsvc.exe 4396 mssecsvc.exe 4036 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4560 wrote to memory of 656 4560 rundll32.exe rundll32.exe PID 4560 wrote to memory of 656 4560 rundll32.exe rundll32.exe PID 4560 wrote to memory of 656 4560 rundll32.exe rundll32.exe PID 656 wrote to memory of 2276 656 rundll32.exe mssecsvc.exe PID 656 wrote to memory of 2276 656 rundll32.exe mssecsvc.exe PID 656 wrote to memory of 2276 656 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1db8a92bfdf04eefe5e3a03c6f10d4a0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1db8a92bfdf04eefe5e3a03c6f10d4a0.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:656 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2276 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4036
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4396
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5c3a8622bebb5560c3e069ba0d29dd9da
SHA186220e94df437d1524e31eb6938fa110c6afea59
SHA256b9f36e556e35ab90c51d02a404676e65675e85ac1cfae2caf92327e0c0db83f7
SHA51224b8bf4b52603a9dcd8f5bc975d9b8ee00d34428b0b7293a789504fb807124c03730368622152d5bab767d25a45b58d76b36f89ca70b4171c25fede063eb03fb
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c3a8622bebb5560c3e069ba0d29dd9da
SHA186220e94df437d1524e31eb6938fa110c6afea59
SHA256b9f36e556e35ab90c51d02a404676e65675e85ac1cfae2caf92327e0c0db83f7
SHA51224b8bf4b52603a9dcd8f5bc975d9b8ee00d34428b0b7293a789504fb807124c03730368622152d5bab767d25a45b58d76b36f89ca70b4171c25fede063eb03fb
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c3a8622bebb5560c3e069ba0d29dd9da
SHA186220e94df437d1524e31eb6938fa110c6afea59
SHA256b9f36e556e35ab90c51d02a404676e65675e85ac1cfae2caf92327e0c0db83f7
SHA51224b8bf4b52603a9dcd8f5bc975d9b8ee00d34428b0b7293a789504fb807124c03730368622152d5bab767d25a45b58d76b36f89ca70b4171c25fede063eb03fb
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD58ae55226b8317daa64f79b5fa1f1ca64
SHA1e47767b66115ab4381f39217fa2a23baf7b24585
SHA256c3803fdd7fe92e92b83e55e09815f507ef2c1863762befac168eec2a6be0787b
SHA51267965e7360d4f88696a2a7309829c44bcbcfe0d4866ca87f0095a294070f2575004bad0817243022409256b784c0b53e310d48edc09cf0ace873a8885c74d45e
-
memory/656-130-0x0000000000000000-mapping.dmp
-
memory/2276-131-0x0000000000000000-mapping.dmp