Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 03:21
Static task
static1
Behavioral task
behavioral1
Sample
70fa9daf70449c9319014eef695648e7.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
70fa9daf70449c9319014eef695648e7.dll
Resource
win10v2004-20220718-en
General
-
Target
70fa9daf70449c9319014eef695648e7.dll
-
Size
5.0MB
-
MD5
70fa9daf70449c9319014eef695648e7
-
SHA1
1caae797acb5a4827176f98be7431ffaedf07a4a
-
SHA256
63748e6acba4cbbeea40093c6571f641c78808f7a79ca0f2c2ad30aaef8be477
-
SHA512
f70a42fb58e2218ac755d1135946b5cb92e512f915b97ef9e8e21fa07d084ae5a2dcde725c42e840387c11e6daeda47b88975d9bb117598ba94e7ea62c8128d2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3202) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1360 mssecsvc.exe 2556 mssecsvc.exe 5032 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3968 wrote to memory of 2416 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 2416 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 2416 3968 rundll32.exe rundll32.exe PID 2416 wrote to memory of 1360 2416 rundll32.exe mssecsvc.exe PID 2416 wrote to memory of 1360 2416 rundll32.exe mssecsvc.exe PID 2416 wrote to memory of 1360 2416 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70fa9daf70449c9319014eef695648e7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70fa9daf70449c9319014eef695648e7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1360 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5032
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2556
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d2ca307b587409ea5503ec50839cf9df
SHA1ec8388e071febec5d5c3a8cc6fde342928650115
SHA25632ce8874b69dcc6aeb43f6034b30d27ec389137651dfff030e1bb93b925584d1
SHA512cdde1d3e8fbce7b0048c8ff5e743cfe60975d8b83b5c6be138422c6718f768f926b74f5f6ea7abe0a538e1b60a233853885376b3d7c812d08fa614908bc76251
-
Filesize
3.6MB
MD5d2ca307b587409ea5503ec50839cf9df
SHA1ec8388e071febec5d5c3a8cc6fde342928650115
SHA25632ce8874b69dcc6aeb43f6034b30d27ec389137651dfff030e1bb93b925584d1
SHA512cdde1d3e8fbce7b0048c8ff5e743cfe60975d8b83b5c6be138422c6718f768f926b74f5f6ea7abe0a538e1b60a233853885376b3d7c812d08fa614908bc76251
-
Filesize
3.6MB
MD5d2ca307b587409ea5503ec50839cf9df
SHA1ec8388e071febec5d5c3a8cc6fde342928650115
SHA25632ce8874b69dcc6aeb43f6034b30d27ec389137651dfff030e1bb93b925584d1
SHA512cdde1d3e8fbce7b0048c8ff5e743cfe60975d8b83b5c6be138422c6718f768f926b74f5f6ea7abe0a538e1b60a233853885376b3d7c812d08fa614908bc76251
-
Filesize
3.4MB
MD5061c91c00e4dd8670f7d12b057f5f259
SHA1abe8c1eeedac3a30b25f4b703cbe2012f8fd3da1
SHA2565edb3724ec3ec13532b8cddda91f08d9bdf2b0a1115fc0617bb0665bc75b9ca5
SHA51272c16731096d7f32343a7c87b448b69843c281c58eeb9eed91e710e41318978c1c06787c0c892478a43c1357a3c807c8680c2fb39431b952753adc9260927724