Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
62ed37a3261ee068f20ae40345d68dce.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
62ed37a3261ee068f20ae40345d68dce.dll
Resource
win10v2004-20220414-en
General
-
Target
62ed37a3261ee068f20ae40345d68dce.dll
-
Size
5.0MB
-
MD5
62ed37a3261ee068f20ae40345d68dce
-
SHA1
7c576f3ddc9442b44f5345540cde155af694329e
-
SHA256
630cfd1793a5d28904da942e5d84e386a13c03cd4c5270001a81f4025d57c077
-
SHA512
d673c5c471f05ae3b32b02c4524db62f2d435ee295f77d1f9ff0ffb7a2e6c5811eee86e973d4967e767b4fc53bc721f805ad10c2ed3ae56f141e7f09c87b1c53
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3192) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 548 mssecsvr.exe 4388 mssecsvr.exe 1260 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2920 1260 WerFault.exe 83 2412 1260 WerFault.exe 83 -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2004 wrote to memory of 3764 2004 rundll32.exe 80 PID 2004 wrote to memory of 3764 2004 rundll32.exe 80 PID 2004 wrote to memory of 3764 2004 rundll32.exe 80 PID 3764 wrote to memory of 548 3764 rundll32.exe 81 PID 3764 wrote to memory of 548 3764 rundll32.exe 81 PID 3764 wrote to memory of 548 3764 rundll32.exe 81 PID 548 wrote to memory of 1260 548 mssecsvr.exe 83 PID 548 wrote to memory of 1260 548 mssecsvr.exe 83 PID 548 wrote to memory of 1260 548 mssecsvr.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\62ed37a3261ee068f20ae40345d68dce.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\62ed37a3261ee068f20ae40345d68dce.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:548 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 2165⤵
- Program crash
PID:2920
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 2205⤵
- Program crash
PID:2412
-
-
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1260 -ip 12601⤵PID:3492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1260 -ip 12601⤵PID:3536
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5c4bad625b192a1ca49deec0d0bd624bc
SHA1307cb2044420379c8d5102d11071a1b8370ee501
SHA256e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff
SHA512e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060
-
Filesize
2.0MB
MD5ff6e8851801d2356c92cb126b2d3d917
SHA1fd54c606869a037a1a185556db142bee37d44671
SHA256ac277431dbb922802187413c2c726b2631b293f02d92da74ab4a2ac98cd0529b
SHA512e21bcdd91007da09eade3ef0ae754890816623b4f9d2301458e4c141d1193284e3d4376b44342bcb50f9eed7001178a4791e61141b04471b4da88d5fca23d05c
-
Filesize
2.2MB
MD5c4bad625b192a1ca49deec0d0bd624bc
SHA1307cb2044420379c8d5102d11071a1b8370ee501
SHA256e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff
SHA512e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060
-
Filesize
2.2MB
MD5c4bad625b192a1ca49deec0d0bd624bc
SHA1307cb2044420379c8d5102d11071a1b8370ee501
SHA256e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff
SHA512e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060
-
Filesize
2.0MB
MD5ff6e8851801d2356c92cb126b2d3d917
SHA1fd54c606869a037a1a185556db142bee37d44671
SHA256ac277431dbb922802187413c2c726b2631b293f02d92da74ab4a2ac98cd0529b
SHA512e21bcdd91007da09eade3ef0ae754890816623b4f9d2301458e4c141d1193284e3d4376b44342bcb50f9eed7001178a4791e61141b04471b4da88d5fca23d05c