Analysis
-
max time kernel
163s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:27
Static task
static1
Behavioral task
behavioral1
Sample
a887a2a64f99c94907f4c002c71a8890.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a887a2a64f99c94907f4c002c71a8890.dll
Resource
win10v2004-20220718-en
General
-
Target
a887a2a64f99c94907f4c002c71a8890.dll
-
Size
5.0MB
-
MD5
a887a2a64f99c94907f4c002c71a8890
-
SHA1
c6da5fe8653fc1a3bc3f13e1cbfa13eb58072e44
-
SHA256
77e12c008e54a0bae4ef671851646d046c8bd5cac7be9c4d51a1c6826c4e39d1
-
SHA512
db1f7d28c041e001ab502a2d4f518df6ab1dd05e6b2d70384e6679f33ab9d1308be62424a4dfab395295bda2c809526755311ad856c0a8b9976662363f7bd62b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3604 mssecsvc.exe 4484 mssecsvc.exe 3760 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3220 wrote to memory of 4736 3220 rundll32.exe rundll32.exe PID 3220 wrote to memory of 4736 3220 rundll32.exe rundll32.exe PID 3220 wrote to memory of 4736 3220 rundll32.exe rundll32.exe PID 4736 wrote to memory of 3604 4736 rundll32.exe mssecsvc.exe PID 4736 wrote to memory of 3604 4736 rundll32.exe mssecsvc.exe PID 4736 wrote to memory of 3604 4736 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a887a2a64f99c94907f4c002c71a8890.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a887a2a64f99c94907f4c002c71a8890.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3604 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3760
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5d2b4be294de6e71e3790aee24c8566fa
SHA1f46223ca3f29226d092811c7b8422eb61d97e646
SHA256e4e606677dea03368a3a73036f6761c9dd4e70f0768c65a0a5af442859cb57db
SHA512145b3ae3d29189eb5e1cce2e60215d4c27c6ae2e9fd25fbd3ed7013642982e07e300c5e1c73904050df4237e5209b2a2a222df78285453a2d93a703dfa6da90a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d2b4be294de6e71e3790aee24c8566fa
SHA1f46223ca3f29226d092811c7b8422eb61d97e646
SHA256e4e606677dea03368a3a73036f6761c9dd4e70f0768c65a0a5af442859cb57db
SHA512145b3ae3d29189eb5e1cce2e60215d4c27c6ae2e9fd25fbd3ed7013642982e07e300c5e1c73904050df4237e5209b2a2a222df78285453a2d93a703dfa6da90a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d2b4be294de6e71e3790aee24c8566fa
SHA1f46223ca3f29226d092811c7b8422eb61d97e646
SHA256e4e606677dea03368a3a73036f6761c9dd4e70f0768c65a0a5af442859cb57db
SHA512145b3ae3d29189eb5e1cce2e60215d4c27c6ae2e9fd25fbd3ed7013642982e07e300c5e1c73904050df4237e5209b2a2a222df78285453a2d93a703dfa6da90a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD563f5eea6935e0f325865258c68e4a5c6
SHA11e3a257405de49f6e5e8114a02ac671dee1bc218
SHA256a1c3d00cbc804b0af9084d8ba2777570655e526206653f65965c17d2fc829c37
SHA51204d705455c347a38cd857c98accfab41d1e06c12a358387d5de125bb4dfcb357ebc6b0a0e04a4d6922db1b89407dcf2e647d53ea7c74aca66316a18a5b18e346
-
memory/3604-131-0x0000000000000000-mapping.dmp
-
memory/4736-130-0x0000000000000000-mapping.dmp