Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:33
Static task
static1
Behavioral task
behavioral1
Sample
d1e3bb77d27f27e98a33a21d16f35dde.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
d1e3bb77d27f27e98a33a21d16f35dde.dll
Resource
win10v2004-20220718-en
General
-
Target
d1e3bb77d27f27e98a33a21d16f35dde.dll
-
Size
5.0MB
-
MD5
d1e3bb77d27f27e98a33a21d16f35dde
-
SHA1
a00abd82ed0a4f90c4525692f20b8f64954263d8
-
SHA256
5ff3670dc706430739e4ab20f8777d5ac3ace433bb0783b038fe8f9aaa2af461
-
SHA512
f7f8fdc2afc776a9fecce2cf4999afcc3a89c9ec5fc7b33e589b8286419ff5f8cf4a5f4db2c2bab60fa55ca771b72b7f4c791c31b345c7a074409c8b6e4565a8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4916 mssecsvc.exe 4496 mssecsvc.exe 4192 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4880 wrote to memory of 2700 4880 rundll32.exe rundll32.exe PID 4880 wrote to memory of 2700 4880 rundll32.exe rundll32.exe PID 4880 wrote to memory of 2700 4880 rundll32.exe rundll32.exe PID 2700 wrote to memory of 4916 2700 rundll32.exe mssecsvc.exe PID 2700 wrote to memory of 4916 2700 rundll32.exe mssecsvc.exe PID 2700 wrote to memory of 4916 2700 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1e3bb77d27f27e98a33a21d16f35dde.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1e3bb77d27f27e98a33a21d16f35dde.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4916 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4192
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4496
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD55ba925494b73756d097e80120e2f8643
SHA194802dd4290fb1a754d4e528b9b17f8cede48684
SHA2560dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351
SHA512791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55ba925494b73756d097e80120e2f8643
SHA194802dd4290fb1a754d4e528b9b17f8cede48684
SHA2560dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351
SHA512791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55ba925494b73756d097e80120e2f8643
SHA194802dd4290fb1a754d4e528b9b17f8cede48684
SHA2560dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351
SHA512791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53b77b7c0b982d993043f011f53c197a3
SHA1c61468cd39a074654adba2081bf5889ef68887b4
SHA2565d84cf9769c5820e7932497ed6a333c7df27ad01329884059418970af0918653
SHA512680b0aceeb9204beb325a2fef8f536d36bad08dfded92d70b6ec0f3a4ae884b73a78fd764883b1210963711ad1d86a9f87646e7410e2f4678fc862f4f9344867
-
memory/2700-130-0x0000000000000000-mapping.dmp
-
memory/4916-131-0x0000000000000000-mapping.dmp