Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:19
Static task
static1
Behavioral task
behavioral1
Sample
06a935e7f87cf2480e3fbc605c67bab7.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
06a935e7f87cf2480e3fbc605c67bab7.dll
Resource
win10v2004-20220718-en
General
-
Target
06a935e7f87cf2480e3fbc605c67bab7.dll
-
Size
5.0MB
-
MD5
06a935e7f87cf2480e3fbc605c67bab7
-
SHA1
9a4099b70455c1665c905cf86388df9e058433a5
-
SHA256
9a7fd407910092ac9920fc621865bbdd80f3385238834eb977812c664132618b
-
SHA512
5d2add3b2855d6cae3fe7dfc1a611aa13897965d06aa86e955aa32f972b4c174691627251fd7145416b3d2462088bec5932e3a6687b878b4ed3f3f7966fd8f20
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3350) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 3744 mssecsvr.exe 2672 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1800 wrote to memory of 860 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 860 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 860 1800 rundll32.exe rundll32.exe PID 860 wrote to memory of 3744 860 rundll32.exe mssecsvr.exe PID 860 wrote to memory of 3744 860 rundll32.exe mssecsvr.exe PID 860 wrote to memory of 3744 860 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06a935e7f87cf2480e3fbc605c67bab7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\06a935e7f87cf2480e3fbc605c67bab7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3744
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD55bdb4efdc9ed8e2f54c35ca11daee0ee
SHA1cc65e844959b6c2439d5bd2d352b473d56f73097
SHA25650dce00e3bbf1f4500aa0d8518e1ae9b826e69ba3a02d008831e5ee9f93a10ec
SHA512b727171ab3ef6e74d2eb85d2922f428158449ebea6a1ee0cc23239c2adc0875a13bcf62f8be0eebee08b74f6546e0efe2768a8fcad4dc9163bd1f5ae38d87639
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD55bdb4efdc9ed8e2f54c35ca11daee0ee
SHA1cc65e844959b6c2439d5bd2d352b473d56f73097
SHA25650dce00e3bbf1f4500aa0d8518e1ae9b826e69ba3a02d008831e5ee9f93a10ec
SHA512b727171ab3ef6e74d2eb85d2922f428158449ebea6a1ee0cc23239c2adc0875a13bcf62f8be0eebee08b74f6546e0efe2768a8fcad4dc9163bd1f5ae38d87639
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD55bdb4efdc9ed8e2f54c35ca11daee0ee
SHA1cc65e844959b6c2439d5bd2d352b473d56f73097
SHA25650dce00e3bbf1f4500aa0d8518e1ae9b826e69ba3a02d008831e5ee9f93a10ec
SHA512b727171ab3ef6e74d2eb85d2922f428158449ebea6a1ee0cc23239c2adc0875a13bcf62f8be0eebee08b74f6546e0efe2768a8fcad4dc9163bd1f5ae38d87639
-
memory/860-130-0x0000000000000000-mapping.dmp
-
memory/3744-131-0x0000000000000000-mapping.dmp