Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:19
Static task
static1
Behavioral task
behavioral1
Sample
6ac6507b0b0b519d15e3724721675d0c.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
6ac6507b0b0b519d15e3724721675d0c.dll
Resource
win10v2004-20220718-en
General
-
Target
6ac6507b0b0b519d15e3724721675d0c.dll
-
Size
5.0MB
-
MD5
6ac6507b0b0b519d15e3724721675d0c
-
SHA1
1c41949e4e84d84b7f827d3bf9ff0d5f154c195b
-
SHA256
f7a244b2769935910f368021c1cb123f72b3822ab6a3f844e9169b1cf100da22
-
SHA512
29d98c34e2543bcce8b3229afc8361cb9dff1f97076fd7c1e9f0ed4c95335d8c016c61e9b502d59969f956f071ed59b42a76931a3c2b59aedc26ba31aee55c07
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3212) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 872 mssecsvr.exe 5064 mssecsvr.exe 1840 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exemssecsvr.exetasksche.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_240541687 tasksche.exe File created C:\Windows\eee.exe tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvr.exedescription pid process target process PID 3756 wrote to memory of 5112 3756 rundll32.exe rundll32.exe PID 3756 wrote to memory of 5112 3756 rundll32.exe rundll32.exe PID 3756 wrote to memory of 5112 3756 rundll32.exe rundll32.exe PID 5112 wrote to memory of 872 5112 rundll32.exe mssecsvr.exe PID 5112 wrote to memory of 872 5112 rundll32.exe mssecsvr.exe PID 5112 wrote to memory of 872 5112 rundll32.exe mssecsvr.exe PID 872 wrote to memory of 1840 872 mssecsvr.exe tasksche.exe PID 872 wrote to memory of 1840 872 mssecsvr.exe tasksche.exe PID 872 wrote to memory of 1840 872 mssecsvr.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac6507b0b0b519d15e3724721675d0c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6ac6507b0b0b519d15e3724721675d0c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:872 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1840
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD5c1a66896851931d109534feb0bfee6c3
SHA10c48c9ae51826781ab3d7fb530e11d315617f0bf
SHA25669715de14478ab04f62ab2f386c6b6835f3156cb931baa6c6cf4d5a6ebd6dca6
SHA512e312adef421d1bd704322a1ee61087b33f4f83d429f19f2c3c5f133bbc9f3c4b29890d08a14c1759a2662e143b38d1796373820cb9d1c3e63dd913ff59200c37
-
C:\WINDOWS\tasksche.exeFilesize
2.0MB
MD5a7c2674187556e355208e61a88be97a1
SHA1c3a06f5022c108ac279b04bd8542f693cfaf795d
SHA256a7a524bb861b7faa5bc98637dbe9b995f9ac2cd27e19d3f6babefda6a150a8fd
SHA512cb380a0d2aac56bb13f337a65b68a2ecb8f677b83fe38e6c23ee69877aff3198b34265b186cf47ebe2008340a3fb4cb18179c4b8cc6ed978b5d84acecd5db8fb
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD5c1a66896851931d109534feb0bfee6c3
SHA10c48c9ae51826781ab3d7fb530e11d315617f0bf
SHA25669715de14478ab04f62ab2f386c6b6835f3156cb931baa6c6cf4d5a6ebd6dca6
SHA512e312adef421d1bd704322a1ee61087b33f4f83d429f19f2c3c5f133bbc9f3c4b29890d08a14c1759a2662e143b38d1796373820cb9d1c3e63dd913ff59200c37
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD5c1a66896851931d109534feb0bfee6c3
SHA10c48c9ae51826781ab3d7fb530e11d315617f0bf
SHA25669715de14478ab04f62ab2f386c6b6835f3156cb931baa6c6cf4d5a6ebd6dca6
SHA512e312adef421d1bd704322a1ee61087b33f4f83d429f19f2c3c5f133bbc9f3c4b29890d08a14c1759a2662e143b38d1796373820cb9d1c3e63dd913ff59200c37
-
C:\Windows\tasksche.exeFilesize
2.0MB
MD5a7c2674187556e355208e61a88be97a1
SHA1c3a06f5022c108ac279b04bd8542f693cfaf795d
SHA256a7a524bb861b7faa5bc98637dbe9b995f9ac2cd27e19d3f6babefda6a150a8fd
SHA512cb380a0d2aac56bb13f337a65b68a2ecb8f677b83fe38e6c23ee69877aff3198b34265b186cf47ebe2008340a3fb4cb18179c4b8cc6ed978b5d84acecd5db8fb
-
memory/872-131-0x0000000000000000-mapping.dmp
-
memory/1840-135-0x0000000000000000-mapping.dmp
-
memory/5112-130-0x0000000000000000-mapping.dmp