Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 19:32
Static task
static1
Behavioral task
behavioral1
Sample
0b1de834200f2a3f108ef2e9a30c111c.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0b1de834200f2a3f108ef2e9a30c111c.dll
Resource
win10v2004-20220812-en
General
-
Target
0b1de834200f2a3f108ef2e9a30c111c.dll
-
Size
5.0MB
-
MD5
0b1de834200f2a3f108ef2e9a30c111c
-
SHA1
e1b9ec0d0afa57a4c6aaa3d37df03d8878c24a85
-
SHA256
b7f4cbd27d4447e9208e4b03736c8d124593d3f20da730d546cb63cf9c38c806
-
SHA512
7392df838a21348fa3d040c84b9339fc2dd0447c0c6f79c195565f80274b950485736b892104c2fcb1e006da4a67ac00382ad9f3f8e18bde822f7222037bc34e
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2605) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4420 mssecsvc.exe 100 mssecsvc.exe 2872 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2996 wrote to memory of 2140 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 2140 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 2140 2996 rundll32.exe rundll32.exe PID 2140 wrote to memory of 4420 2140 rundll32.exe mssecsvc.exe PID 2140 wrote to memory of 4420 2140 rundll32.exe mssecsvc.exe PID 2140 wrote to memory of 4420 2140 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0b1de834200f2a3f108ef2e9a30c111c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0b1de834200f2a3f108ef2e9a30c111c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD54fa3d0d7d1b0168e2466a2009bb7cd7b
SHA11c9bf4dadc66caea9b379de963c9ee17d984e884
SHA256bd7db1d396359de49aca7c8d8efbb509766e2e8b18cb2a9365412005cd6fee1c
SHA512bf67901a19638f269ae265907cba0dec0a43bb0508114ccdd993fb5f0bc7f28a5c09342b35288517e3e78b9470070ce93ef81fc72ebabebb3e89019a11e1bad7
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54fa3d0d7d1b0168e2466a2009bb7cd7b
SHA11c9bf4dadc66caea9b379de963c9ee17d984e884
SHA256bd7db1d396359de49aca7c8d8efbb509766e2e8b18cb2a9365412005cd6fee1c
SHA512bf67901a19638f269ae265907cba0dec0a43bb0508114ccdd993fb5f0bc7f28a5c09342b35288517e3e78b9470070ce93ef81fc72ebabebb3e89019a11e1bad7
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54fa3d0d7d1b0168e2466a2009bb7cd7b
SHA11c9bf4dadc66caea9b379de963c9ee17d984e884
SHA256bd7db1d396359de49aca7c8d8efbb509766e2e8b18cb2a9365412005cd6fee1c
SHA512bf67901a19638f269ae265907cba0dec0a43bb0508114ccdd993fb5f0bc7f28a5c09342b35288517e3e78b9470070ce93ef81fc72ebabebb3e89019a11e1bad7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5436db9e51d1ef68c6630961d5170df1d
SHA110c0b3f11224244379f2fb2e81f0119d6b3d69a5
SHA2569c798f466576044df5a6c3c9366c81c4d1e5e2ba37bbec90fc78522da465a73a
SHA51218de6482a761b445f183973580234f373430a65bf9802e9cf7a65730b596a7c99effa60f2a00c5389ab3a6abcd423da558494d23d854914f27a43a76e5ce7414
-
memory/2140-132-0x0000000000000000-mapping.dmp
-
memory/4420-133-0x0000000000000000-mapping.dmp