Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:35
Static task
static1
Behavioral task
behavioral1
Sample
fdc06e09bd0d4683eae51940922c325d.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
fdc06e09bd0d4683eae51940922c325d.dll
Resource
win10v2004-20220718-en
General
-
Target
fdc06e09bd0d4683eae51940922c325d.dll
-
Size
5.0MB
-
MD5
fdc06e09bd0d4683eae51940922c325d
-
SHA1
a55f954ada5ddb7faf4ec3db3ea3a7b7416325fd
-
SHA256
3db99d9bdf316d6f945c59db3ff53b71354c5c2080ee78ae39b61a03a2c1c52e
-
SHA512
036075ebd79a14a07e0a260c7d3e4cef425dcf5a84c9d7193f9dcc23227945b5914f0864fc72db6e445d296f65125926749eb256a99ee05fc28ba4105d1c6182
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3223) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3436 mssecsvc.exe 3528 mssecsvc.exe 4016 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3044 wrote to memory of 4116 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 4116 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 4116 3044 rundll32.exe rundll32.exe PID 4116 wrote to memory of 3436 4116 rundll32.exe mssecsvc.exe PID 4116 wrote to memory of 3436 4116 rundll32.exe mssecsvc.exe PID 4116 wrote to memory of 3436 4116 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fdc06e09bd0d4683eae51940922c325d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fdc06e09bd0d4683eae51940922c325d.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3436 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4016
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD53ebba136ed968ee57159e02ca64ecea4
SHA14d103665c6e8cd78994b09c3e6e623fb5a09055c
SHA256d974b041dbf10b67eb032b82fa5bdc9e67f463884ca2df479691b6e2cf72143f
SHA51227003a0067312b8b566dc517f7452ad3e8d6a2ea82c5c8e282e853b69660ada6eb89000de3f4a3a14accae1ab2c74c9984e80c45e0817ead6753f68705531820
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD53ebba136ed968ee57159e02ca64ecea4
SHA14d103665c6e8cd78994b09c3e6e623fb5a09055c
SHA256d974b041dbf10b67eb032b82fa5bdc9e67f463884ca2df479691b6e2cf72143f
SHA51227003a0067312b8b566dc517f7452ad3e8d6a2ea82c5c8e282e853b69660ada6eb89000de3f4a3a14accae1ab2c74c9984e80c45e0817ead6753f68705531820
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD53ebba136ed968ee57159e02ca64ecea4
SHA14d103665c6e8cd78994b09c3e6e623fb5a09055c
SHA256d974b041dbf10b67eb032b82fa5bdc9e67f463884ca2df479691b6e2cf72143f
SHA51227003a0067312b8b566dc517f7452ad3e8d6a2ea82c5c8e282e853b69660ada6eb89000de3f4a3a14accae1ab2c74c9984e80c45e0817ead6753f68705531820
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5eba622d9c8473e1542b3c611252f9332
SHA15f121b16ffa3ce1282e9dc8c59df7a4756b2165d
SHA256b53ebec134709bd98664413ca16702068dd07312e2d61dfbf5a09ca704164998
SHA51276e5d39cf6dd472abd89a857452e7885d352517e5b27ed3ed0d6811d34f2f60bd9cdbb0ed4a8b9cc9f71db65c8c51c7c8e8db0a7899aaf2a1240113de23b9618
-
memory/3436-131-0x0000000000000000-mapping.dmp
-
memory/4116-130-0x0000000000000000-mapping.dmp