Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:30
Static task
static1
Behavioral task
behavioral1
Sample
073906fb1146a94214c99d3415297b5b.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
073906fb1146a94214c99d3415297b5b.dll
Resource
win10v2004-20220718-en
General
-
Target
073906fb1146a94214c99d3415297b5b.dll
-
Size
5.0MB
-
MD5
073906fb1146a94214c99d3415297b5b
-
SHA1
517e601390f3ecdd41931a96b8196cba424ba805
-
SHA256
fafa7cb85fe7b111bf2484141d8dd4ad763007202b1e78aa7ebdaab3bb121a26
-
SHA512
79f42b6094d4742085c8dba0e554f32d80ec73381d7442669892fc7cea9241c94ea4a0010713f2c901fa6347b228c3a8a60ff300a38c4eff98c379d8cea2e9ab
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2678) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1156 mssecsvc.exe 3032 mssecsvc.exe 4984 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 868 wrote to memory of 984 868 rundll32.exe rundll32.exe PID 868 wrote to memory of 984 868 rundll32.exe rundll32.exe PID 868 wrote to memory of 984 868 rundll32.exe rundll32.exe PID 984 wrote to memory of 1156 984 rundll32.exe mssecsvc.exe PID 984 wrote to memory of 1156 984 rundll32.exe mssecsvc.exe PID 984 wrote to memory of 1156 984 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\073906fb1146a94214c99d3415297b5b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\073906fb1146a94214c99d3415297b5b.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:984 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1156 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4984
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3032
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD56e62c9ba8c9b866018f43687cc9d82f7
SHA1b92d863de68be1fa1610d7b36ebaaee07177d25c
SHA256d7c2aa2180b52adff9b3426d2fdc06403e48d964d2d27cf717487062b7956a89
SHA5122a5b4f7b1d4107db8e84609ce9f8dbabd1087a68056c9ab60bf3c26baf11fb04666757013717b062869e43894cbb354315868d0700cffab88d83212928b24640
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56e62c9ba8c9b866018f43687cc9d82f7
SHA1b92d863de68be1fa1610d7b36ebaaee07177d25c
SHA256d7c2aa2180b52adff9b3426d2fdc06403e48d964d2d27cf717487062b7956a89
SHA5122a5b4f7b1d4107db8e84609ce9f8dbabd1087a68056c9ab60bf3c26baf11fb04666757013717b062869e43894cbb354315868d0700cffab88d83212928b24640
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56e62c9ba8c9b866018f43687cc9d82f7
SHA1b92d863de68be1fa1610d7b36ebaaee07177d25c
SHA256d7c2aa2180b52adff9b3426d2fdc06403e48d964d2d27cf717487062b7956a89
SHA5122a5b4f7b1d4107db8e84609ce9f8dbabd1087a68056c9ab60bf3c26baf11fb04666757013717b062869e43894cbb354315868d0700cffab88d83212928b24640
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f9e34b42cb41b3b94857e1e65ce49bf5
SHA18ca85df9e553fb73780f4f461d1ceef50d0f8bee
SHA25623854b9310e703c5ae103bb5de5c83cf89bc10138fecab99533ebc4dd7207be7
SHA512a1014103e6c892a89d8b89775a12a9d5a2baab777606baac36157d2272b2dd19c55356a09ff4cb0bcdd3b36fb49258c97d3a7b9c7bd6bafa2eac063b0136d02a
-
memory/984-130-0x0000000000000000-mapping.dmp
-
memory/1156-131-0x0000000000000000-mapping.dmp