Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 03:18
Static task
static1
Behavioral task
behavioral1
Sample
833673f1109f028b77a5703bdd180bda.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
833673f1109f028b77a5703bdd180bda.dll
Resource
win10v2004-20220718-en
General
-
Target
833673f1109f028b77a5703bdd180bda.dll
-
Size
5.0MB
-
MD5
833673f1109f028b77a5703bdd180bda
-
SHA1
c182af79cac9592bb4b4bbe5f507e70fe98e08ca
-
SHA256
9bfd0ee288665f94b99c0bea0d7bdc55521fa761a2a8e0390481bf3a3f210cf7
-
SHA512
29eda75865243498b123c7fe5c6b7b3bba40e5838dc41b27fabaa6b3c52bf81f824da3a51ece3ba5a978ca3e3b540c027cadec769d418d37104800f164908c24
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3184) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 2732 mssecsvr.exe 1808 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3064 wrote to memory of 3840 3064 rundll32.exe rundll32.exe PID 3064 wrote to memory of 3840 3064 rundll32.exe rundll32.exe PID 3064 wrote to memory of 3840 3064 rundll32.exe rundll32.exe PID 3840 wrote to memory of 2732 3840 rundll32.exe mssecsvr.exe PID 3840 wrote to memory of 2732 3840 rundll32.exe mssecsvr.exe PID 3840 wrote to memory of 2732 3840 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\833673f1109f028b77a5703bdd180bda.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\833673f1109f028b77a5703bdd180bda.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2732
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57bf8e812377b14c873b0a5c857ee0346
SHA105097523b6ac26a12ec1ed6a21ef11f153be2dd4
SHA2560fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330
SHA512d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a
-
Filesize
3.6MB
MD57bf8e812377b14c873b0a5c857ee0346
SHA105097523b6ac26a12ec1ed6a21ef11f153be2dd4
SHA2560fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330
SHA512d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a
-
Filesize
3.6MB
MD57bf8e812377b14c873b0a5c857ee0346
SHA105097523b6ac26a12ec1ed6a21ef11f153be2dd4
SHA2560fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330
SHA512d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a