Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:42
Static task
static1
Behavioral task
behavioral1
Sample
b9f7069adbd290e6d9ec6c97d9c98a53.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
b9f7069adbd290e6d9ec6c97d9c98a53.dll
Resource
win10v2004-20220414-en
General
-
Target
b9f7069adbd290e6d9ec6c97d9c98a53.dll
-
Size
5.0MB
-
MD5
b9f7069adbd290e6d9ec6c97d9c98a53
-
SHA1
cc92098be427e8824f24d33f644e24f1332c1d8f
-
SHA256
5d52eec99f5bb3342372f1667b61cd0297db540a84c091c358696073ce1dcbaa
-
SHA512
946d812a115bb4fdc7198d5c7d5ca7569e3bf08f2bff13bc6acba80aca0672da62fad76b684750eca7766ba88c985ff5121dc3c65aa73962c33d6a5b61ec11b3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4760 mssecsvr.exe 4548 mssecsvr.exe 4272 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_240557703 tasksche.exe File created C:\Windows\eee.exe tasksche.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2116 wrote to memory of 3792 2116 rundll32.exe 83 PID 2116 wrote to memory of 3792 2116 rundll32.exe 83 PID 2116 wrote to memory of 3792 2116 rundll32.exe 83 PID 3792 wrote to memory of 4760 3792 rundll32.exe 84 PID 3792 wrote to memory of 4760 3792 rundll32.exe 84 PID 3792 wrote to memory of 4760 3792 rundll32.exe 84 PID 4760 wrote to memory of 4272 4760 mssecsvr.exe 86 PID 4760 wrote to memory of 4272 4760 mssecsvr.exe 86 PID 4760 wrote to memory of 4272 4760 mssecsvr.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9f7069adbd290e6d9ec6c97d9c98a53.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b9f7069adbd290e6d9ec6c97d9c98a53.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4272
-
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD536eaefe7bd29722caf93a2c35d43e26d
SHA183b3c33fa008122e5828d17c6546c8c732e97107
SHA2566c3dcf66abc7ab7c0c6bccb492ad4ab3604b88796e3db6d79d025c4cbcfc077d
SHA512a6db849ea99d2b4a3f04a0d0b9f9e8180404782624008e0049e3c7175ceeb29b2210d74e7430ee53f42968b3dd987241ed05672e1b7feeebe3aac56009ac5fae
-
Filesize
2.0MB
MD5821d10b8f06f9d2dc7acd5ad9fd6fb01
SHA1a94e5aef4d32e4b3d69c6c501905a9cf5c96b7a1
SHA256a94ceffc16534405e9961cf2ebe70c5a9164db45346d9ed0262c14a7853be36f
SHA512e2135b6aaa98c666207724697bd43b0bc8a34d1b25ecbad8e13db67988b0e4a00f3b489042f24cd24623cf31db5d564e0359110626409a82855e861dd2c060c1
-
Filesize
2.2MB
MD536eaefe7bd29722caf93a2c35d43e26d
SHA183b3c33fa008122e5828d17c6546c8c732e97107
SHA2566c3dcf66abc7ab7c0c6bccb492ad4ab3604b88796e3db6d79d025c4cbcfc077d
SHA512a6db849ea99d2b4a3f04a0d0b9f9e8180404782624008e0049e3c7175ceeb29b2210d74e7430ee53f42968b3dd987241ed05672e1b7feeebe3aac56009ac5fae
-
Filesize
2.2MB
MD536eaefe7bd29722caf93a2c35d43e26d
SHA183b3c33fa008122e5828d17c6546c8c732e97107
SHA2566c3dcf66abc7ab7c0c6bccb492ad4ab3604b88796e3db6d79d025c4cbcfc077d
SHA512a6db849ea99d2b4a3f04a0d0b9f9e8180404782624008e0049e3c7175ceeb29b2210d74e7430ee53f42968b3dd987241ed05672e1b7feeebe3aac56009ac5fae
-
Filesize
2.0MB
MD5821d10b8f06f9d2dc7acd5ad9fd6fb01
SHA1a94e5aef4d32e4b3d69c6c501905a9cf5c96b7a1
SHA256a94ceffc16534405e9961cf2ebe70c5a9164db45346d9ed0262c14a7853be36f
SHA512e2135b6aaa98c666207724697bd43b0bc8a34d1b25ecbad8e13db67988b0e4a00f3b489042f24cd24623cf31db5d564e0359110626409a82855e861dd2c060c1