Analysis
-
max time kernel
156s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:48
Static task
static1
Behavioral task
behavioral1
Sample
2fef747b9af97b5d5f51f6c8b78fc7e5.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2fef747b9af97b5d5f51f6c8b78fc7e5.dll
Resource
win10v2004-20220718-en
General
-
Target
2fef747b9af97b5d5f51f6c8b78fc7e5.dll
-
Size
5.0MB
-
MD5
2fef747b9af97b5d5f51f6c8b78fc7e5
-
SHA1
2819b156e2642287f6e5b8f3edf44be868f42398
-
SHA256
eef05d989b43900560a8bee6a5dc777bbf3bbc2ce303000aa37143c5d5866ab4
-
SHA512
dfaca04e2f9361388d69809f17511b845f7f265f28ef923bc817c02c324ba1ec4b787f293562f18c53bdf8b3429fcbb0861fe9751a0a8a8773579c424082914c
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3073) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4280 mssecsvc.exe 2696 mssecsvc.exe 3484 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2228 wrote to memory of 3972 2228 rundll32.exe 77 PID 2228 wrote to memory of 3972 2228 rundll32.exe 77 PID 2228 wrote to memory of 3972 2228 rundll32.exe 77 PID 3972 wrote to memory of 4280 3972 rundll32.exe 78 PID 3972 wrote to memory of 4280 3972 rundll32.exe 78 PID 3972 wrote to memory of 4280 3972 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fef747b9af97b5d5f51f6c8b78fc7e5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fef747b9af97b5d5f51f6c8b78fc7e5.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4280 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3484
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2696
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5847552f3a002185c4a835f9591a97581
SHA13571a6c8c5f9eb76a246f1bcb7a274fb4f1cec7a
SHA256a79301ea4e6776c0b655276aed6ba149c7cbf9a37c219c8dc22fb857e5df191b
SHA5120136b37902aab5ddb58ae284b44d78c178351163631374cd5d69635eb4890ace8a437714d812f9d3e0e4b017f94e5cf2046dd00b356083ae5a5a36cfb1ce78d8
-
Filesize
3.6MB
MD5847552f3a002185c4a835f9591a97581
SHA13571a6c8c5f9eb76a246f1bcb7a274fb4f1cec7a
SHA256a79301ea4e6776c0b655276aed6ba149c7cbf9a37c219c8dc22fb857e5df191b
SHA5120136b37902aab5ddb58ae284b44d78c178351163631374cd5d69635eb4890ace8a437714d812f9d3e0e4b017f94e5cf2046dd00b356083ae5a5a36cfb1ce78d8
-
Filesize
3.6MB
MD5847552f3a002185c4a835f9591a97581
SHA13571a6c8c5f9eb76a246f1bcb7a274fb4f1cec7a
SHA256a79301ea4e6776c0b655276aed6ba149c7cbf9a37c219c8dc22fb857e5df191b
SHA5120136b37902aab5ddb58ae284b44d78c178351163631374cd5d69635eb4890ace8a437714d812f9d3e0e4b017f94e5cf2046dd00b356083ae5a5a36cfb1ce78d8
-
Filesize
3.4MB
MD54ae2a7352491c1f756b738048a66e3e8
SHA112ab9b1ceeb165b3d3f5ede529d05f2c2a260436
SHA2566d5c3b74f8bd7df577ee946df65e6d4baf85739c13daa7d3f71858cba94ef9a1
SHA512c9e5cb8eeccd0159aa6a23a50005ea028e4d4e9b3c20afa73411de49331074dd5870330cfedbc5c4dcd02611c49703838aca7e4884395dafe12a9d6c6c4cf750