Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
ff0ec5621475e217fa6d2fea39b9a37e.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ff0ec5621475e217fa6d2fea39b9a37e.dll
Resource
win10v2004-20220718-en
General
-
Target
ff0ec5621475e217fa6d2fea39b9a37e.dll
-
Size
5.0MB
-
MD5
ff0ec5621475e217fa6d2fea39b9a37e
-
SHA1
dddceadfd6396ea7ead3aec4429c22ec0359f408
-
SHA256
b9029c845771376e90d6f199449b5c2c337ddccb242f376223f54bc2df44fdc6
-
SHA512
5ec084bd18132daafd2abe81803686e121c6bfc3787bbfac12f52caf78b11b22188d330e13d6bced7e1e89f964c4d0032afdec97afe91ae33054a68ba3ca943d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3288) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3928 mssecsvc.exe 2188 mssecsvc.exe 2428 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1672 wrote to memory of 2332 1672 rundll32.exe 76 PID 1672 wrote to memory of 2332 1672 rundll32.exe 76 PID 1672 wrote to memory of 2332 1672 rundll32.exe 76 PID 2332 wrote to memory of 3928 2332 rundll32.exe 77 PID 2332 wrote to memory of 3928 2332 rundll32.exe 77 PID 2332 wrote to memory of 3928 2332 rundll32.exe 77
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff0ec5621475e217fa6d2fea39b9a37e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff0ec5621475e217fa6d2fea39b9a37e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3928 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2428
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2188
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5bce37f9a46dd6e5ed17db4c24a28dc7f
SHA1f6735933b157c30cb02af4e76b541e8e3d4de019
SHA256304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2
SHA5122174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da
-
Filesize
3.6MB
MD5bce37f9a46dd6e5ed17db4c24a28dc7f
SHA1f6735933b157c30cb02af4e76b541e8e3d4de019
SHA256304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2
SHA5122174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da
-
Filesize
3.6MB
MD5bce37f9a46dd6e5ed17db4c24a28dc7f
SHA1f6735933b157c30cb02af4e76b541e8e3d4de019
SHA256304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2
SHA5122174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da
-
Filesize
3.4MB
MD516226b9dab177f18ec44f297a2d0e86a
SHA140d9d09f08376b07b73d8f70374151a2c0fa5bf4
SHA25681f1a0cb09387321278177d55442f1c32fecff59c579584dd2e4e52753a8b315
SHA51279f24ba409412140c148936d1ccabb876c671a56c72c6641200f272cf2ced278ab88e32a610b00f709e3b129123800c119aa10521e0f1d9123f1078f8b07d283