Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 03:12
Static task
static1
Behavioral task
behavioral1
Sample
38ab7916fc2ba54ec6ade58a137556b2.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
38ab7916fc2ba54ec6ade58a137556b2.dll
Resource
win10v2004-20220718-en
General
-
Target
38ab7916fc2ba54ec6ade58a137556b2.dll
-
Size
5.0MB
-
MD5
38ab7916fc2ba54ec6ade58a137556b2
-
SHA1
1da706431d4a25c27ab47276d932c0b9d08cb644
-
SHA256
f464b32447533eeaa9c315f86ef1d5efde140d4f60144c251a86e510860509b3
-
SHA512
5b4dbe5cae76904b73c585478e1c550e3eae6edcd582a2b7cd76db3238468c3d61fa07d0c202b905d2f393ed4c94ad43ad1d195fdad96103189cf1979ad23cd6
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4828 mssecsvc.exe 4544 mssecsvc.exe 2180 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4268 wrote to memory of 1656 4268 rundll32.exe rundll32.exe PID 4268 wrote to memory of 1656 4268 rundll32.exe rundll32.exe PID 4268 wrote to memory of 1656 4268 rundll32.exe rundll32.exe PID 1656 wrote to memory of 4828 1656 rundll32.exe mssecsvc.exe PID 1656 wrote to memory of 4828 1656 rundll32.exe mssecsvc.exe PID 1656 wrote to memory of 4828 1656 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\38ab7916fc2ba54ec6ade58a137556b2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\38ab7916fc2ba54ec6ade58a137556b2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD575f3a97683f88028e26d11bc5087cca6
SHA12497ad91014cc591d9e46dbed1b2c891d45e3eb9
SHA256402693df7f8e9b82a473107014262019aa3748244c20ee083f1ad84113267b9a
SHA5124df2f03161b73a744a1aec8ba136490b2a2084195a011a00dd1275a447155b0e36f62b7e89a099cda01a27256fa04aaca4fbc727719cf7fd669bec96314360a4
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD575f3a97683f88028e26d11bc5087cca6
SHA12497ad91014cc591d9e46dbed1b2c891d45e3eb9
SHA256402693df7f8e9b82a473107014262019aa3748244c20ee083f1ad84113267b9a
SHA5124df2f03161b73a744a1aec8ba136490b2a2084195a011a00dd1275a447155b0e36f62b7e89a099cda01a27256fa04aaca4fbc727719cf7fd669bec96314360a4
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD575f3a97683f88028e26d11bc5087cca6
SHA12497ad91014cc591d9e46dbed1b2c891d45e3eb9
SHA256402693df7f8e9b82a473107014262019aa3748244c20ee083f1ad84113267b9a
SHA5124df2f03161b73a744a1aec8ba136490b2a2084195a011a00dd1275a447155b0e36f62b7e89a099cda01a27256fa04aaca4fbc727719cf7fd669bec96314360a4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5565eafef92cd574e804215824ed4d0e7
SHA18a92c0d3d92684ebd622684919ace79eedafa8b6
SHA2565b3ae5c82984228da4b67549e1331565431e0bb4a44bd64615ee7d7bd3dc2c6a
SHA51219cec62cc7c2864e08fdaca2b2f32724056ecb0d569d9b9b13e6dc08c0f20cd5adc59e17bf5e907208e8334605e3862002e4efeabebfccb0733a9f9fe7d2ae34
-
memory/1656-130-0x0000000000000000-mapping.dmp
-
memory/4828-131-0x0000000000000000-mapping.dmp