Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:33
Static task
static1
Behavioral task
behavioral1
Sample
86f52c47bd6c4795e54aea3d133e7547.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
86f52c47bd6c4795e54aea3d133e7547.dll
Resource
win10v2004-20220718-en
General
-
Target
86f52c47bd6c4795e54aea3d133e7547.dll
-
Size
5.0MB
-
MD5
86f52c47bd6c4795e54aea3d133e7547
-
SHA1
4e119e821c6b5f0f15e83b9dc05a5e199a349ce8
-
SHA256
4bd9347edac2eba983f5f54e8c842c09a0c1b0104b41d92c7e68cd7ace1f270c
-
SHA512
3f8fd43e16b7cb7fab1215dccaf399063127047a9e3ff016a1bdddd858637a146bec55fc92b376fb674e2506f01f1e8551a51957e56658ad6400c6d437b88172
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3212) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4916 mssecsvc.exe 3616 mssecsvc.exe 4476 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4880 wrote to memory of 2700 4880 rundll32.exe 77 PID 4880 wrote to memory of 2700 4880 rundll32.exe 77 PID 4880 wrote to memory of 2700 4880 rundll32.exe 77 PID 2700 wrote to memory of 4916 2700 rundll32.exe 78 PID 2700 wrote to memory of 4916 2700 rundll32.exe 78 PID 2700 wrote to memory of 4916 2700 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86f52c47bd6c4795e54aea3d133e7547.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\86f52c47bd6c4795e54aea3d133e7547.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4916 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4476
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57f6cab73801d7ca89a335b6c9b3e8bf9
SHA1672508a5e795db895cc83dbfd48fcb52f15860f9
SHA25674549f9d788694ac41ee24aa27dfca97249ca7287d1ba766c7cf30dc31113fa8
SHA512571b6ee20e6438cd628845f3e03222ca8488800bff5cab7bba64a6616bee97f430d4171768aa8f65554814ac2dcab078157f6760dfea17824f5ee7ca9600beb6
-
Filesize
3.6MB
MD57f6cab73801d7ca89a335b6c9b3e8bf9
SHA1672508a5e795db895cc83dbfd48fcb52f15860f9
SHA25674549f9d788694ac41ee24aa27dfca97249ca7287d1ba766c7cf30dc31113fa8
SHA512571b6ee20e6438cd628845f3e03222ca8488800bff5cab7bba64a6616bee97f430d4171768aa8f65554814ac2dcab078157f6760dfea17824f5ee7ca9600beb6
-
Filesize
3.6MB
MD57f6cab73801d7ca89a335b6c9b3e8bf9
SHA1672508a5e795db895cc83dbfd48fcb52f15860f9
SHA25674549f9d788694ac41ee24aa27dfca97249ca7287d1ba766c7cf30dc31113fa8
SHA512571b6ee20e6438cd628845f3e03222ca8488800bff5cab7bba64a6616bee97f430d4171768aa8f65554814ac2dcab078157f6760dfea17824f5ee7ca9600beb6
-
Filesize
3.4MB
MD560e22b8e0b0f6d32106487d4fd4f5298
SHA19d24a3c4be0ccb192456ab497a2cab4c43dac029
SHA256f291bc9153171bc9a4e87a98bda82f707f6abcd1ba8c7b5cec2c913c8adc6874
SHA5121b45ee887821883372a3e15f1181f0ea57dc3d666f58a60b97379d6caed8585330048fa840cb0c384e27d0c6edfd6ac2194b99fa43688da5ea7d5215ac216071