Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 03:13
Static task
static1
Behavioral task
behavioral1
Sample
629e370b1d3ba9bf6724d7054bc89073.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
629e370b1d3ba9bf6724d7054bc89073.dll
Resource
win10v2004-20220718-en
General
-
Target
629e370b1d3ba9bf6724d7054bc89073.dll
-
Size
5.0MB
-
MD5
629e370b1d3ba9bf6724d7054bc89073
-
SHA1
76ec26415b600f0d373bd5fa24113e36b0f10ab3
-
SHA256
fcf337a1914aa74016ddbc369980bf9a703e9eafc80c8e7053c642ef0052266f
-
SHA512
2cc62c6eb7d50a1115f864fb0ee09930f5b87d3c5e83f5393e5650c81db265ee14724f348cb24260d6c255c45d7554544a968952843b37fd6ef061328f7152c2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3294) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 3816 mssecsvr.exe 2264 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3644 wrote to memory of 1696 3644 rundll32.exe rundll32.exe PID 3644 wrote to memory of 1696 3644 rundll32.exe rundll32.exe PID 3644 wrote to memory of 1696 3644 rundll32.exe rundll32.exe PID 1696 wrote to memory of 3816 1696 rundll32.exe mssecsvr.exe PID 1696 wrote to memory of 3816 1696 rundll32.exe mssecsvr.exe PID 1696 wrote to memory of 3816 1696 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\629e370b1d3ba9bf6724d7054bc89073.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\629e370b1d3ba9bf6724d7054bc89073.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3816
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2264
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD58632b048ae93552c09c0ca80ed6230a5
SHA1cbdd06886b6ffbccc620443f875ecd07db7c8909
SHA256478e9dca209e33943a29a160f5959c86469b08766600f5183df106c2ea0713c0
SHA512a3255f1e32c78a93e13111324d1a3e31396a9a42ea7ccf4377086c68216267601781b9e717a6e05540451cb4bd67a037a5770ea67bfaa2ebcfe02a1e8775d5b2
-
Filesize
2.2MB
MD58632b048ae93552c09c0ca80ed6230a5
SHA1cbdd06886b6ffbccc620443f875ecd07db7c8909
SHA256478e9dca209e33943a29a160f5959c86469b08766600f5183df106c2ea0713c0
SHA512a3255f1e32c78a93e13111324d1a3e31396a9a42ea7ccf4377086c68216267601781b9e717a6e05540451cb4bd67a037a5770ea67bfaa2ebcfe02a1e8775d5b2
-
Filesize
2.2MB
MD58632b048ae93552c09c0ca80ed6230a5
SHA1cbdd06886b6ffbccc620443f875ecd07db7c8909
SHA256478e9dca209e33943a29a160f5959c86469b08766600f5183df106c2ea0713c0
SHA512a3255f1e32c78a93e13111324d1a3e31396a9a42ea7ccf4377086c68216267601781b9e717a6e05540451cb4bd67a037a5770ea67bfaa2ebcfe02a1e8775d5b2