Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
a9097ff46602fea3fb6e59ecc29d15b7.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a9097ff46602fea3fb6e59ecc29d15b7.dll
Resource
win10v2004-20220414-en
General
-
Target
a9097ff46602fea3fb6e59ecc29d15b7.dll
-
Size
5.0MB
-
MD5
a9097ff46602fea3fb6e59ecc29d15b7
-
SHA1
03acf8a9a382461e4d1980be39472f7c0490c766
-
SHA256
633b81cf245a7c616d6ec09ac4a2093d4b1b5f484f81c9b7f4ad142e8a5b0f0d
-
SHA512
462ea792b18377673603f2d3db3ca714ea92eae8a429e2f896cff7127679465951a78703def597d4d9fde30f07aabef30a37b20a5df580e6ea9941a49af4ed11
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4944 mssecsvc.exe 3008 mssecsvc.exe 4688 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2744 wrote to memory of 444 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 444 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 444 2744 rundll32.exe rundll32.exe PID 444 wrote to memory of 4944 444 rundll32.exe mssecsvc.exe PID 444 wrote to memory of 4944 444 rundll32.exe mssecsvc.exe PID 444 wrote to memory of 4944 444 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9097ff46602fea3fb6e59ecc29d15b7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9097ff46602fea3fb6e59ecc29d15b7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD52ff55dfcbe060b38c067706b69580bbf
SHA10ccf0a375c85a1396837908acabe0bc290508860
SHA25618533c7d5f0317d363fc17a470f594304827f06d58258969bc9ccde3ec1dbfe6
SHA51230587dc0407fd6d2af7dc9c1b100ff74e2d9b9c052be87c9bc3f49246205462c2bd34ab93dde147cfccd17422d99488d8f5fe280c7834fc644434b0076c62167
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD52ff55dfcbe060b38c067706b69580bbf
SHA10ccf0a375c85a1396837908acabe0bc290508860
SHA25618533c7d5f0317d363fc17a470f594304827f06d58258969bc9ccde3ec1dbfe6
SHA51230587dc0407fd6d2af7dc9c1b100ff74e2d9b9c052be87c9bc3f49246205462c2bd34ab93dde147cfccd17422d99488d8f5fe280c7834fc644434b0076c62167
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD52ff55dfcbe060b38c067706b69580bbf
SHA10ccf0a375c85a1396837908acabe0bc290508860
SHA25618533c7d5f0317d363fc17a470f594304827f06d58258969bc9ccde3ec1dbfe6
SHA51230587dc0407fd6d2af7dc9c1b100ff74e2d9b9c052be87c9bc3f49246205462c2bd34ab93dde147cfccd17422d99488d8f5fe280c7834fc644434b0076c62167
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD594fe89675454f565792ceffe88f4ff8d
SHA1888967d3ee02ea27602cc7a7897ac28f3ac02a9b
SHA256ad823ae6518d2a3c55600ca0898a3fa6526df57237826f03ba7aa0f139039048
SHA5128ab9167385244b75574806a30602dd7786092053649b543f1e6e383bea19c110d573d4f0c78cf36497c62f26b9d51fc74c5a530e342ccf32db4f5a09799dcfeb
-
memory/444-130-0x0000000000000000-mapping.dmp
-
memory/4944-131-0x0000000000000000-mapping.dmp