Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:47
Static task
static1
Behavioral task
behavioral1
Sample
423bca29674fc6cd58fed852427b1ffe.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
423bca29674fc6cd58fed852427b1ffe.dll
Resource
win10v2004-20220718-en
General
-
Target
423bca29674fc6cd58fed852427b1ffe.dll
-
Size
5.0MB
-
MD5
423bca29674fc6cd58fed852427b1ffe
-
SHA1
73b781e52f612230ebcf0070db8d12f72ccbd3f9
-
SHA256
53d1efc21234848acd0610876f9888836cdaca9cba20bd5a74196ea76f808080
-
SHA512
51bb12e591a3c780151cb42a7f4faa217a243730f925fc070fbf6be707e607f5ea412016b5c92cbe0dbae8ca0585e472cf767d44f90dc704696ad8668a05ab2c
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3129) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4792 mssecsvc.exe 3636 mssecsvc.exe 372 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3832 wrote to memory of 4716 3832 rundll32.exe 76 PID 3832 wrote to memory of 4716 3832 rundll32.exe 76 PID 3832 wrote to memory of 4716 3832 rundll32.exe 76 PID 4716 wrote to memory of 4792 4716 rundll32.exe 77 PID 4716 wrote to memory of 4792 4716 rundll32.exe 77 PID 4716 wrote to memory of 4792 4716 rundll32.exe 77
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\423bca29674fc6cd58fed852427b1ffe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\423bca29674fc6cd58fed852427b1ffe.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4792 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:372
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3636
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD505caef754cf3d8f494ed1be4bb2efd53
SHA1eb3b2202d9d54fec56c62d256254cd36c235ed61
SHA2569c79438f1ccfc7187af064f6d9badfe9e33680928d82cf59a1e512421e2422dc
SHA512f321020b49b03bf691e45ebbcca092c8219876399aaaa42b116bed51140528dd40519f03d93f2b033319fa729f3704569d393c021523d1c53eea831980707940
-
Filesize
3.6MB
MD505caef754cf3d8f494ed1be4bb2efd53
SHA1eb3b2202d9d54fec56c62d256254cd36c235ed61
SHA2569c79438f1ccfc7187af064f6d9badfe9e33680928d82cf59a1e512421e2422dc
SHA512f321020b49b03bf691e45ebbcca092c8219876399aaaa42b116bed51140528dd40519f03d93f2b033319fa729f3704569d393c021523d1c53eea831980707940
-
Filesize
3.6MB
MD505caef754cf3d8f494ed1be4bb2efd53
SHA1eb3b2202d9d54fec56c62d256254cd36c235ed61
SHA2569c79438f1ccfc7187af064f6d9badfe9e33680928d82cf59a1e512421e2422dc
SHA512f321020b49b03bf691e45ebbcca092c8219876399aaaa42b116bed51140528dd40519f03d93f2b033319fa729f3704569d393c021523d1c53eea831980707940
-
Filesize
3.4MB
MD57d1a1e425c3a214a649013d89e82d6b4
SHA1b695fd52830c6124b1799d0ba0d256fbd786a2f7
SHA2563743d8bb3d584eb76a7e74dcc199b2674a4dc77a72c9236e1f3ebc5eaf51c7d6
SHA512ab939c536bf339a70dab35178fdb90919c98bc0e3bf7982380390a6b8bd769e120dff9406db781a852b9da1bcc998bfd6df5f46bb5e8b91621b87a69d436f79f