Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:42
Static task
static1
Behavioral task
behavioral1
Sample
2fa2b45f10328565d9cedcaaf3131771.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
2fa2b45f10328565d9cedcaaf3131771.dll
Resource
win10v2004-20220414-en
General
-
Target
2fa2b45f10328565d9cedcaaf3131771.dll
-
Size
5.0MB
-
MD5
2fa2b45f10328565d9cedcaaf3131771
-
SHA1
524c453b2537d41fd3d113bfe905f351703ff592
-
SHA256
81b7d9a20398387471e9830806ee44e9f52ee2c29d2c50707d2747a24fe02d40
-
SHA512
480698612b1aba3deb3d1f7b40a400294b2ed3449a78e0e104a9f2b712a44a5cdcae2384aef25d25b716293fc4febc24fb703cb25f56e51b83eade0699ed2e34
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1396 mssecsvc.exe 2616 mssecsvc.exe 4056 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4144 wrote to memory of 5040 4144 rundll32.exe 80 PID 4144 wrote to memory of 5040 4144 rundll32.exe 80 PID 4144 wrote to memory of 5040 4144 rundll32.exe 80 PID 5040 wrote to memory of 1396 5040 rundll32.exe 81 PID 5040 wrote to memory of 1396 5040 rundll32.exe 81 PID 5040 wrote to memory of 1396 5040 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa2b45f10328565d9cedcaaf3131771.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa2b45f10328565d9cedcaaf3131771.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1396 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4056
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2616
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD59f5fcc06c35b79fd9fc1cc3fd8d5eb7f
SHA1380da41bb2ccde2e9b5e7f5ceb1d4103e9919628
SHA2568ce7c85b5da5303647f5eb6d98ca54d6e6cb9f4c9462535b8034fe8c19b4ca52
SHA51236034d0161da4709b6a255fa772d94c77670ef13d08edb682ef2ecde3b2581e645f0093e0ee072db037ac9c3c95b3f0665904ef03b4f0799cdc3bc4229358f1f
-
Filesize
3.6MB
MD59f5fcc06c35b79fd9fc1cc3fd8d5eb7f
SHA1380da41bb2ccde2e9b5e7f5ceb1d4103e9919628
SHA2568ce7c85b5da5303647f5eb6d98ca54d6e6cb9f4c9462535b8034fe8c19b4ca52
SHA51236034d0161da4709b6a255fa772d94c77670ef13d08edb682ef2ecde3b2581e645f0093e0ee072db037ac9c3c95b3f0665904ef03b4f0799cdc3bc4229358f1f
-
Filesize
3.6MB
MD59f5fcc06c35b79fd9fc1cc3fd8d5eb7f
SHA1380da41bb2ccde2e9b5e7f5ceb1d4103e9919628
SHA2568ce7c85b5da5303647f5eb6d98ca54d6e6cb9f4c9462535b8034fe8c19b4ca52
SHA51236034d0161da4709b6a255fa772d94c77670ef13d08edb682ef2ecde3b2581e645f0093e0ee072db037ac9c3c95b3f0665904ef03b4f0799cdc3bc4229358f1f
-
Filesize
3.4MB
MD572b7326ad47efacd38036f594e2e0dc4
SHA1919cfc5ca4e334cc3dd9a5480cac09454593ef5a
SHA256c12b903c402922ea0978c82218a9e6e73035af524096428391d6b53fcfad878a
SHA512b958fd7e154bab31f8f23c9fa867bbbaaff0179acde5aa8c7a3b0928bb7c1b48eaef05866a26fb53fbfd38453e1cde896d92920d022d003fc89dbc72734c2f59