Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:23
Static task
static1
Behavioral task
behavioral1
Sample
4c35693cadb792e90bdddc8380b842c5.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
4c35693cadb792e90bdddc8380b842c5.dll
Resource
win10v2004-20220718-en
General
-
Target
4c35693cadb792e90bdddc8380b842c5.dll
-
Size
5.0MB
-
MD5
4c35693cadb792e90bdddc8380b842c5
-
SHA1
746a147d80ad18a14675cd3ac6ab36732b005993
-
SHA256
ec29f4db6e43c8bfad91f4d2910c6db42b975d33f7a51c69ea9e0dc9d400584f
-
SHA512
74ae721343082477fc09ef865d595c2150b085bea7e935e52587946da0ac0f54296a85cacdd37c9b70518668ffaf55012e8f21feade02a433363217d92544630
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3079) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5000 mssecsvc.exe 2192 mssecsvc.exe 1516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3972 1516 WerFault.exe tasksche.exe 2232 1516 WerFault.exe tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 4952 wrote to memory of 4988 4952 rundll32.exe rundll32.exe PID 4952 wrote to memory of 4988 4952 rundll32.exe rundll32.exe PID 4952 wrote to memory of 4988 4952 rundll32.exe rundll32.exe PID 4988 wrote to memory of 5000 4988 rundll32.exe mssecsvc.exe PID 4988 wrote to memory of 5000 4988 rundll32.exe mssecsvc.exe PID 4988 wrote to memory of 5000 4988 rundll32.exe mssecsvc.exe PID 5000 wrote to memory of 1516 5000 mssecsvc.exe tasksche.exe PID 5000 wrote to memory of 1516 5000 mssecsvc.exe tasksche.exe PID 5000 wrote to memory of 1516 5000 mssecsvc.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c35693cadb792e90bdddc8380b842c5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c35693cadb792e90bdddc8380b842c5.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 2245⤵
- Program crash
PID:3972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 2445⤵
- Program crash
PID:2232
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 1516 -ip 15161⤵PID:4156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1516 -ip 15161⤵PID:4480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD54e9e7d540c73d79a641299c02154a342
SHA1259a5feb4e5032d32474042aad4e3444da12df1d
SHA25652f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5
SHA512770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9
-
C:\WINDOWS\tasksche.exeFilesize
3.4MB
MD505b62993be8f2411988da09e828ea3a9
SHA1a211ce025d3f266f8e60dbb5985d6b6bc6fbd795
SHA256e1e1d0a7b950fee4294a3e8b8c944e215d9c9cd1aa718cc87d48c2bc2f71d149
SHA5120fd8b0d191e1ef44da171bf261532394a87d5c766c49979f5061bd68d42452e741f9c6ae3dad6ff301db1c5069e533e63f6a976398c782da79b194f8da5e5559
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54e9e7d540c73d79a641299c02154a342
SHA1259a5feb4e5032d32474042aad4e3444da12df1d
SHA25652f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5
SHA512770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54e9e7d540c73d79a641299c02154a342
SHA1259a5feb4e5032d32474042aad4e3444da12df1d
SHA25652f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5
SHA512770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD505b62993be8f2411988da09e828ea3a9
SHA1a211ce025d3f266f8e60dbb5985d6b6bc6fbd795
SHA256e1e1d0a7b950fee4294a3e8b8c944e215d9c9cd1aa718cc87d48c2bc2f71d149
SHA5120fd8b0d191e1ef44da171bf261532394a87d5c766c49979f5061bd68d42452e741f9c6ae3dad6ff301db1c5069e533e63f6a976398c782da79b194f8da5e5559
-
memory/1516-135-0x0000000000000000-mapping.dmp
-
memory/4988-130-0x0000000000000000-mapping.dmp
-
memory/5000-131-0x0000000000000000-mapping.dmp