Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
9c30ed6837ce0a422697827dd7f2c2f0.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
9c30ed6837ce0a422697827dd7f2c2f0.dll
Resource
win10v2004-20220414-en
General
-
Target
9c30ed6837ce0a422697827dd7f2c2f0.dll
-
Size
5.0MB
-
MD5
9c30ed6837ce0a422697827dd7f2c2f0
-
SHA1
53e08ab7b7fbad810b1dd7f8371266245910a445
-
SHA256
2ff2a4b08a9b7786c46b7a2afc90121b83c9fac94641278aae01d65e896f4a2d
-
SHA512
78cd1c2ab0b6765417998766dcace14b882987cead4457fbc32bcb0121ebf2dfd8edf35620458c4d4d31e3b592f2d52c9ca4c17d780495d47447d55fc94083f8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3250) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2932 mssecsvc.exe 4988 mssecsvc.exe 3560 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2992 wrote to memory of 460 2992 rundll32.exe 82 PID 2992 wrote to memory of 460 2992 rundll32.exe 82 PID 2992 wrote to memory of 460 2992 rundll32.exe 82 PID 460 wrote to memory of 2932 460 rundll32.exe 83 PID 460 wrote to memory of 2932 460 rundll32.exe 83 PID 460 wrote to memory of 2932 460 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c30ed6837ce0a422697827dd7f2c2f0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c30ed6837ce0a422697827dd7f2c2f0.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:460 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2932 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3560
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b88c1916a89289c0a2b5dc653a6c8d59
SHA1887cac7ed35865c9c14f9196b0e282c159e997e6
SHA2566a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6
SHA512f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd
-
Filesize
3.6MB
MD5b88c1916a89289c0a2b5dc653a6c8d59
SHA1887cac7ed35865c9c14f9196b0e282c159e997e6
SHA2566a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6
SHA512f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd
-
Filesize
3.6MB
MD5b88c1916a89289c0a2b5dc653a6c8d59
SHA1887cac7ed35865c9c14f9196b0e282c159e997e6
SHA2566a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6
SHA512f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd
-
Filesize
3.4MB
MD5774c854be940865edcc542e7c700e2a8
SHA17584db11fd1d7350ba77689c6121f1645b254378
SHA256d2ec9d641e375cdc0c1ff1756980d044a58c10bb25bb3994bb273ee458da5bde
SHA51265a4977574770e6f2d662fb99fa8b27d11694dc79c0abeb5029517c587cf17bab63cca01d9e40407b12ac9d42c01a185e8926c5144c9304b033e67f98f11b560