Analysis
-
max time kernel
156s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:44
Static task
static1
Behavioral task
behavioral1
Sample
8c5266b76cb1b59fcc1edbc8d8908d4f.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
8c5266b76cb1b59fcc1edbc8d8908d4f.dll
Resource
win10v2004-20220718-en
General
-
Target
8c5266b76cb1b59fcc1edbc8d8908d4f.dll
-
Size
5.0MB
-
MD5
8c5266b76cb1b59fcc1edbc8d8908d4f
-
SHA1
904064e4f6194f3b40415e1d65a7a74a4f5c15c1
-
SHA256
b3ac4447b03488cba38e3aee1b3310cd96d8673f781031aa5b54bf413725e2bd
-
SHA512
d9a343fe916d4e82f69d5525e238e4bb1878b3115d1248e030ea28d220fe23b68d2cfc31491dbd988bee4667f24967b936bb00376bdd57fc3665163c1263b8ae
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2912) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 5056 mssecsvc.exe 968 mssecsvc.exe 4500 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1900 wrote to memory of 4424 1900 rundll32.exe 78 PID 1900 wrote to memory of 4424 1900 rundll32.exe 78 PID 1900 wrote to memory of 4424 1900 rundll32.exe 78 PID 4424 wrote to memory of 5056 4424 rundll32.exe 79 PID 4424 wrote to memory of 5056 4424 rundll32.exe 79 PID 4424 wrote to memory of 5056 4424 rundll32.exe 79
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8c5266b76cb1b59fcc1edbc8d8908d4f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8c5266b76cb1b59fcc1edbc8d8908d4f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5056 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4500
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:968
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d2afab1f6e4b2f2c072890040ee91a62
SHA1cb37f128b5ecd3bc5d10efc892a3c5886ba3cc55
SHA25617ead2da93d1a5b5333b1755a75c8f3fe45233eb5cd802203b352f60e203309a
SHA512dadadd6604a8b0f53db62fe28974ef6e0cd47b6eb591d5e8504fcfaf192fe848e773c410e4ea88d20a82d23944b65ce57f710423122fade32db02bb9ebbf2049
-
Filesize
3.6MB
MD5d2afab1f6e4b2f2c072890040ee91a62
SHA1cb37f128b5ecd3bc5d10efc892a3c5886ba3cc55
SHA25617ead2da93d1a5b5333b1755a75c8f3fe45233eb5cd802203b352f60e203309a
SHA512dadadd6604a8b0f53db62fe28974ef6e0cd47b6eb591d5e8504fcfaf192fe848e773c410e4ea88d20a82d23944b65ce57f710423122fade32db02bb9ebbf2049
-
Filesize
3.6MB
MD5d2afab1f6e4b2f2c072890040ee91a62
SHA1cb37f128b5ecd3bc5d10efc892a3c5886ba3cc55
SHA25617ead2da93d1a5b5333b1755a75c8f3fe45233eb5cd802203b352f60e203309a
SHA512dadadd6604a8b0f53db62fe28974ef6e0cd47b6eb591d5e8504fcfaf192fe848e773c410e4ea88d20a82d23944b65ce57f710423122fade32db02bb9ebbf2049
-
Filesize
3.4MB
MD5a0c080b6b04064caddb90715a9115320
SHA1ab23cc42cf8f8b316d8fbb5b102ce7594a3d02cd
SHA2563eef39feef918a8ee0949af01c667fc94bf38f5b081b8d77fdbfa18f81e5e132
SHA51230868ecd8bf36cc2883508834f987f7339974e1429c640ec984ab9ae9a67f3085a5c8162f60fa5522eb9b18ab948fd4b99872dce813db33494d196f0d4ac8a91