Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2022 04:17
Static task
static1
Behavioral task
behavioral1
Sample
e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll
Resource
win10v2004-20220721-en
General
-
Target
e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll
-
Size
5.0MB
-
MD5
46273765ba551414751b787b45b9362d
-
SHA1
61f746ee0c72970ebb11d56019ae297750d7b649
-
SHA256
e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1
-
SHA512
e9d46361b429fa3aeb126f0492a715aa5f06ad580fb8b3464be1cb324664a7a41cffcb1aea25a976a4336eee0e15cfaa804e36d19d4213b6173c58e7d5036886
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (2638) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4780 mssecsvc.exe 4520 mssecsvc.exe 1804 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4180 wrote to memory of 4776 4180 rundll32.exe rundll32.exe PID 4180 wrote to memory of 4776 4180 rundll32.exe rundll32.exe PID 4180 wrote to memory of 4776 4180 rundll32.exe rundll32.exe PID 4776 wrote to memory of 4780 4776 rundll32.exe mssecsvc.exe PID 4776 wrote to memory of 4780 4776 rundll32.exe mssecsvc.exe PID 4776 wrote to memory of 4780 4776 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD59f2febd6d18a6ce6227a470ac3cefe7c
SHA1b42ad909f382aa3af976e65e0fc0b31ba2ed171e
SHA256a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0
SHA512241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59f2febd6d18a6ce6227a470ac3cefe7c
SHA1b42ad909f382aa3af976e65e0fc0b31ba2ed171e
SHA256a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0
SHA512241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59f2febd6d18a6ce6227a470ac3cefe7c
SHA1b42ad909f382aa3af976e65e0fc0b31ba2ed171e
SHA256a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0
SHA512241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50a05a5da7327c4e5086d3c393fb890d9
SHA13b22803e310a65a509d9ed721b56da389e508831
SHA256e557d37e7763d698cfad36992f2cae832b49d56ac988e67dfe83edf348735d19
SHA5125a792c4a62568b2ef5a4cd17e739e6237b38f7c2e167337a6cfb5d358fa33871fe8df8eb7ecf7a4dba59f82549088c22530d68deccccb4259280860335273c80
-
memory/4776-130-0x0000000000000000-mapping.dmp
-
memory/4780-131-0x0000000000000000-mapping.dmp