Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:45
Static task
static1
Behavioral task
behavioral1
Sample
aa6c3af589f56e44fa4f00cc5ee60169.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
aa6c3af589f56e44fa4f00cc5ee60169.dll
Resource
win10v2004-20220414-en
General
-
Target
aa6c3af589f56e44fa4f00cc5ee60169.dll
-
Size
5.0MB
-
MD5
aa6c3af589f56e44fa4f00cc5ee60169
-
SHA1
80708025c3a71d2607dfa670e3de4f158351194e
-
SHA256
65d88350e1e0577f647a1d0e91dd4baf6e5ce42d3845d5e5cdbee03f6a1d9d50
-
SHA512
836fe58ab81d3c22ec00ac73e20a45e839a705c912faaf24511cb2fc54f848466e584fa674fb9cc8b6be7f8d442f4ca1a9f30d8245dd486c8e1c4e266c2e08a7
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3277) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1112 mssecsvc.exe 3028 mssecsvc.exe 3168 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1684 wrote to memory of 1792 1684 rundll32.exe 80 PID 1684 wrote to memory of 1792 1684 rundll32.exe 80 PID 1684 wrote to memory of 1792 1684 rundll32.exe 80 PID 1792 wrote to memory of 1112 1792 rundll32.exe 81 PID 1792 wrote to memory of 1112 1792 rundll32.exe 81 PID 1792 wrote to memory of 1112 1792 rundll32.exe 81
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa6c3af589f56e44fa4f00cc5ee60169.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa6c3af589f56e44fa4f00cc5ee60169.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1112 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3168
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5550fbbe39f6bb8cc978e37112d7760da
SHA1a04f21a2aa3270944e91d446707be1344cdee667
SHA256d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656
SHA512456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103
-
Filesize
3.6MB
MD5550fbbe39f6bb8cc978e37112d7760da
SHA1a04f21a2aa3270944e91d446707be1344cdee667
SHA256d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656
SHA512456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103
-
Filesize
3.6MB
MD5550fbbe39f6bb8cc978e37112d7760da
SHA1a04f21a2aa3270944e91d446707be1344cdee667
SHA256d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656
SHA512456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103
-
Filesize
3.4MB
MD51fa7f9b832ae1d065695f71a8c7714b0
SHA1274aa1fe26b8668adfb5bfff31917aeff93c12b0
SHA2563f3b01ae8849baf9c28b373ab7bcdc369f8dbc376d6e07ec1918ea2c37871dcf
SHA5123e1e3aa556624ef5886c34766e36fea6010c4a3d1db4df3fe859bb82ced94384473ce499a6598f593650b8f5a305708249a917513d3564b243481371c7d8850c