Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:43
Static task
static1
Behavioral task
behavioral1
Sample
ec5748f79216b65959301174fbf96957.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ec5748f79216b65959301174fbf96957.dll
Resource
win10v2004-20220718-en
General
-
Target
ec5748f79216b65959301174fbf96957.dll
-
Size
5.0MB
-
MD5
ec5748f79216b65959301174fbf96957
-
SHA1
690f8cecc24108338930a17c70a528292c60be38
-
SHA256
105e8ccca5c3be8e5bb23b1afbba9720c44d0ec45a2ef85d004c34526464ed0f
-
SHA512
d571b153abd7216dcf05085d4730e9c9410d4ad6f8015b0d9334e3db00e33bf351f155a880ccf733bc21a2530598ee42a6d76ec81b2f5390bd978431042f48bd
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3228) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 3596 mssecsvc.exe 2100 mssecsvc.exe 4324 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2884 wrote to memory of 3124 2884 rundll32.exe 78 PID 2884 wrote to memory of 3124 2884 rundll32.exe 78 PID 2884 wrote to memory of 3124 2884 rundll32.exe 78 PID 3124 wrote to memory of 3596 3124 rundll32.exe 79 PID 3124 wrote to memory of 3596 3124 rundll32.exe 79 PID 3124 wrote to memory of 3596 3124 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5748f79216b65959301174fbf96957.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5748f79216b65959301174fbf96957.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3596 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4324
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2100
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD542db6f5ea2fa39f344fe8bcbb70c2446
SHA1a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83
SHA2562b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa
SHA51214c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0
-
Filesize
3.6MB
MD542db6f5ea2fa39f344fe8bcbb70c2446
SHA1a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83
SHA2562b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa
SHA51214c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0
-
Filesize
3.6MB
MD542db6f5ea2fa39f344fe8bcbb70c2446
SHA1a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83
SHA2562b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa
SHA51214c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0
-
Filesize
3.4MB
MD51c8b86848417ca00d2c49b4515e6516a
SHA1f5d333f02e227a2fb70536d12f90ca359c8d263d
SHA2562eefc917cef61a212eea8c033f028dda3c791e55791de69c79252d56423982c1
SHA512bc362feaace7bd0fba650c18d2b3b89a1f9f5fdb347e62eb4877e56f7c682be05fd341d79586245b4912df3e26512496e3631255674622f4ae5a9b060f04b749