Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
50cbca00cd028986ce1c332c8093cdd9.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
50cbca00cd028986ce1c332c8093cdd9.dll
Resource
win10v2004-20220414-en
General
-
Target
50cbca00cd028986ce1c332c8093cdd9.dll
-
Size
5.0MB
-
MD5
50cbca00cd028986ce1c332c8093cdd9
-
SHA1
80e9c0da857b9ed792a9fae87f56ed3363ffb8b4
-
SHA256
fecdbea3b7439653a0b422b22bb957577b0f100dc43b13148c20cc282cd4d865
-
SHA512
b8fab37e2d280f0c518ca9e503c5d6cfd77fee1791c3a2c60365b939114b98099106d4bd98556f5aa7a762a32c0b64b5d3ac88beae81bb02645408bf2d114d56
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3068) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4640 mssecsvc.exe 4968 mssecsvc.exe 2132 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4284 wrote to memory of 4444 4284 rundll32.exe 80 PID 4284 wrote to memory of 4444 4284 rundll32.exe 80 PID 4284 wrote to memory of 4444 4284 rundll32.exe 80 PID 4444 wrote to memory of 4640 4444 rundll32.exe 81 PID 4444 wrote to memory of 4640 4444 rundll32.exe 81 PID 4444 wrote to memory of 4640 4444 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\50cbca00cd028986ce1c332c8093cdd9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\50cbca00cd028986ce1c332c8093cdd9.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4640 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2132
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5985ba4ef47df1da29ee4751ccbef41bd
SHA1c3518542cd5328dbfe54cda103d57858965ccd10
SHA2560478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6
SHA5123a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f
-
Filesize
3.6MB
MD5985ba4ef47df1da29ee4751ccbef41bd
SHA1c3518542cd5328dbfe54cda103d57858965ccd10
SHA2560478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6
SHA5123a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f
-
Filesize
3.6MB
MD5985ba4ef47df1da29ee4751ccbef41bd
SHA1c3518542cd5328dbfe54cda103d57858965ccd10
SHA2560478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6
SHA5123a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f
-
Filesize
3.4MB
MD534162f39d0401884115a772a8619cd45
SHA10a74ce265b922c0020acee72ddfebb0505e99f7c
SHA2563cb80529bef49f8fcaa87e3b40cdf3c79beeac3cde3d84e7eba25812ccf43842
SHA51216dcbaa0ddc727f264bdfd378db49856b1055ce3e17f1eb7c27d758fdac607394c69f0c92d9bf31f6d39dd78a2f4856c368930be861ef1200309038af1dd6e1b