Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
2b3e78c15dac89342f1877465e292d7d.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2b3e78c15dac89342f1877465e292d7d.dll
Resource
win10v2004-20220718-en
General
-
Target
2b3e78c15dac89342f1877465e292d7d.dll
-
Size
5.0MB
-
MD5
2b3e78c15dac89342f1877465e292d7d
-
SHA1
725bac5b57fd334266a3925e9e668fd04de9b6ad
-
SHA256
b56e00696cb8d5c824569e48b544f17d07b2f5cd2985a35ab11598a2cc424c16
-
SHA512
900c28a81f4cca92ce761473a68fa98742bf882fb2cb118bdb6d4ffb304a399c9ac8ed5bd5b7f686b2254745a2e95da5c57719df7270c82c2ab1211fcfe7fc80
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3264) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4880 mssecsvc.exe 3056 mssecsvc.exe 3432 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1708 wrote to memory of 2412 1708 rundll32.exe 78 PID 1708 wrote to memory of 2412 1708 rundll32.exe 78 PID 1708 wrote to memory of 2412 1708 rundll32.exe 78 PID 2412 wrote to memory of 4880 2412 rundll32.exe 79 PID 2412 wrote to memory of 4880 2412 rundll32.exe 79 PID 2412 wrote to memory of 4880 2412 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3e78c15dac89342f1877465e292d7d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3e78c15dac89342f1877465e292d7d.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4880 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3432
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58fc1d22f4f7b401ae124feccf1b5c525
SHA12b44885b8cc7543446e5c4e1a14106e0d7db49b6
SHA256fd9cd064d6e553e22254d6b1fcd746bf792428f0ab22fa8ca368ff9f41731ca8
SHA5127cc5b2409dec6009e5f457356638f3c04f269f5bffd2e080d426a27b9837a924c634f80f5ba3f5e3a2cd5fee76b752b8577c516b4c7bc8e8852e859e96fcf526
-
Filesize
3.6MB
MD58fc1d22f4f7b401ae124feccf1b5c525
SHA12b44885b8cc7543446e5c4e1a14106e0d7db49b6
SHA256fd9cd064d6e553e22254d6b1fcd746bf792428f0ab22fa8ca368ff9f41731ca8
SHA5127cc5b2409dec6009e5f457356638f3c04f269f5bffd2e080d426a27b9837a924c634f80f5ba3f5e3a2cd5fee76b752b8577c516b4c7bc8e8852e859e96fcf526
-
Filesize
3.6MB
MD58fc1d22f4f7b401ae124feccf1b5c525
SHA12b44885b8cc7543446e5c4e1a14106e0d7db49b6
SHA256fd9cd064d6e553e22254d6b1fcd746bf792428f0ab22fa8ca368ff9f41731ca8
SHA5127cc5b2409dec6009e5f457356638f3c04f269f5bffd2e080d426a27b9837a924c634f80f5ba3f5e3a2cd5fee76b752b8577c516b4c7bc8e8852e859e96fcf526
-
Filesize
3.4MB
MD5c23c03d983d146043d45f4e78973850d
SHA152ea200315ab77573122ed7ac3d7be47139f9918
SHA25680e211eca3c140f1a8168ec4fa5c49c7c366e3b8f14dd79301962df91e2fc890
SHA5124790ffb1157609548f23048a3bb98074621e8947cd30e694c259a08012595aa218ae39cbeee47c470a958ab45805668b89efaa4a0676a24afea788e79caeade2