Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 03:23
Static task
static1
Behavioral task
behavioral1
Sample
5fcd8cc470d769069f7e7c48498a6d18.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5fcd8cc470d769069f7e7c48498a6d18.dll
Resource
win10v2004-20220718-en
General
-
Target
5fcd8cc470d769069f7e7c48498a6d18.dll
-
Size
5.0MB
-
MD5
5fcd8cc470d769069f7e7c48498a6d18
-
SHA1
062fd0720232c0a95808f50b9565d64c31e9fe48
-
SHA256
95c2ba129dae7ef5a742da353bd914c504dc60c31228e99d85afb2303a7a518a
-
SHA512
936d85ac815316208a7960f9d00523fd774ec17e48aae40750de3eebcb43c94f60c03e1150820e6033db0f35290f3977aec12792e53eaae600d9ae0330d2507f
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3124) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4128 mssecsvc.exe 4704 mssecsvc.exe 2696 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4828 2696 WerFault.exe tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 1184 wrote to memory of 4376 1184 rundll32.exe rundll32.exe PID 1184 wrote to memory of 4376 1184 rundll32.exe rundll32.exe PID 1184 wrote to memory of 4376 1184 rundll32.exe rundll32.exe PID 4376 wrote to memory of 4128 4376 rundll32.exe mssecsvc.exe PID 4376 wrote to memory of 4128 4376 rundll32.exe mssecsvc.exe PID 4376 wrote to memory of 4128 4376 rundll32.exe mssecsvc.exe PID 4128 wrote to memory of 2696 4128 mssecsvc.exe tasksche.exe PID 4128 wrote to memory of 2696 4128 mssecsvc.exe tasksche.exe PID 4128 wrote to memory of 2696 4128 mssecsvc.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5fcd8cc470d769069f7e7c48498a6d18.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5fcd8cc470d769069f7e7c48498a6d18.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 2245⤵
- Program crash
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2696 -ip 26961⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD59a7dd9f18b360857ab66f81acf6bf430
SHA1709f241f65764bbea1819de16a235981657b9e64
SHA256511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a
SHA5128b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb
-
C:\WINDOWS\tasksche.exeFilesize
3.4MB
MD5f96b8d6fab1906a7f02f3047b8bbedd3
SHA164a7b3db933794f3631a1c22b29c7ba13c253e32
SHA2565aee8b4132d5b4d9130184c1775777379e3b2dcffc7501336d16609814333f85
SHA512a8b8f3a7bba2f70c7f0a8c4b90c27f88e17a43cd6772961e5ab1c12f1cb55bf8da0649bbe9fe100341a993435e9fa747712d957c4d0156b99f8e304d423ccda2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59a7dd9f18b360857ab66f81acf6bf430
SHA1709f241f65764bbea1819de16a235981657b9e64
SHA256511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a
SHA5128b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59a7dd9f18b360857ab66f81acf6bf430
SHA1709f241f65764bbea1819de16a235981657b9e64
SHA256511559a52266dc69ff6cc2715f699269895c2d14c01f1fc861254598ad8eab2a
SHA5128b03b54ec8b0222c99f61de7df637fd2066226d603f85e8891d84708a5cb79a0fbcd427cb2f09d3c8e80109499c5a044e95afaa04d99134ccfd5d789b30200fb
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f96b8d6fab1906a7f02f3047b8bbedd3
SHA164a7b3db933794f3631a1c22b29c7ba13c253e32
SHA2565aee8b4132d5b4d9130184c1775777379e3b2dcffc7501336d16609814333f85
SHA512a8b8f3a7bba2f70c7f0a8c4b90c27f88e17a43cd6772961e5ab1c12f1cb55bf8da0649bbe9fe100341a993435e9fa747712d957c4d0156b99f8e304d423ccda2
-
memory/2696-135-0x0000000000000000-mapping.dmp
-
memory/4128-131-0x0000000000000000-mapping.dmp
-
memory/4376-130-0x0000000000000000-mapping.dmp