Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 02:21
Static task
static1
Behavioral task
behavioral1
Sample
76bdc9c6a2d8643950698542a606efab.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
76bdc9c6a2d8643950698542a606efab.dll
Resource
win10v2004-20220718-en
General
-
Target
76bdc9c6a2d8643950698542a606efab.dll
-
Size
5.0MB
-
MD5
76bdc9c6a2d8643950698542a606efab
-
SHA1
4bd52eee52b52c0b9e1e3bbad7ff8933c7c56c03
-
SHA256
6150c2592384c9a6bd61f7c1c639a880ad280c990cb42dd85f2057ae98749ccc
-
SHA512
078c54e3a43fb728882cca77e1444a2d082cea8a8acd72a7b9203d78ce70b4078446019a6cd0596e3b3a0ff4d169af0225a7ab4fb97b25b4202bbc09633baf6c
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3152) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2860 mssecsvc.exe 3620 mssecsvc.exe 3780 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3856 wrote to memory of 4576 3856 rundll32.exe rundll32.exe PID 3856 wrote to memory of 4576 3856 rundll32.exe rundll32.exe PID 3856 wrote to memory of 4576 3856 rundll32.exe rundll32.exe PID 4576 wrote to memory of 2860 4576 rundll32.exe mssecsvc.exe PID 4576 wrote to memory of 2860 4576 rundll32.exe mssecsvc.exe PID 4576 wrote to memory of 2860 4576 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76bdc9c6a2d8643950698542a606efab.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76bdc9c6a2d8643950698542a606efab.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e0036e0d93f666c290c703ab0a78aa6c
SHA153a2a455ddfad57178e54594b0515e72029d2b66
SHA2560552156f7c82c2207119395f34ef57de30e5aecd9ed36c4bbedfed45cab4bdc2
SHA512f9716d7b9e7c67d7bcd6aa4699c53661d8c0b19abcdd37edb7c83dc44d45c05e55574fc1cd06760d650bbaac2c3b81f239f1a4270243a7bd99864b3cce4ed810
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e0036e0d93f666c290c703ab0a78aa6c
SHA153a2a455ddfad57178e54594b0515e72029d2b66
SHA2560552156f7c82c2207119395f34ef57de30e5aecd9ed36c4bbedfed45cab4bdc2
SHA512f9716d7b9e7c67d7bcd6aa4699c53661d8c0b19abcdd37edb7c83dc44d45c05e55574fc1cd06760d650bbaac2c3b81f239f1a4270243a7bd99864b3cce4ed810
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e0036e0d93f666c290c703ab0a78aa6c
SHA153a2a455ddfad57178e54594b0515e72029d2b66
SHA2560552156f7c82c2207119395f34ef57de30e5aecd9ed36c4bbedfed45cab4bdc2
SHA512f9716d7b9e7c67d7bcd6aa4699c53661d8c0b19abcdd37edb7c83dc44d45c05e55574fc1cd06760d650bbaac2c3b81f239f1a4270243a7bd99864b3cce4ed810
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD534de8be969a83865dd37c378b7cea60d
SHA1d3c07ba3907737c05af16ec1e1fbdb19e32680f8
SHA2568184218abffccce34002ef7abca6ead0d717ec967870cd8e60304d00a5b4a999
SHA5123a091f12c4feb491208d762a87d1351e3941d8d15934f067576e64a91f27aa006eae01ca00cce795652b07b909dd9f7f69fbb5a39c46db6222393bb4cc46077c
-
memory/2860-131-0x0000000000000000-mapping.dmp
-
memory/4576-130-0x0000000000000000-mapping.dmp