Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 19:33
Static task
static1
Behavioral task
behavioral1
Sample
03a5fa4484f00c7b2f7f8fb47adc5c9b.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
03a5fa4484f00c7b2f7f8fb47adc5c9b.dll
Resource
win10v2004-20220812-en
General
-
Target
03a5fa4484f00c7b2f7f8fb47adc5c9b.dll
-
Size
5.0MB
-
MD5
03a5fa4484f00c7b2f7f8fb47adc5c9b
-
SHA1
14b9afb09e86eb6be0a6fbf21c8b049cdc97c141
-
SHA256
b6f12ee8bf35f88f75f273efa51b5f7145a0788046db118031c56cf76d28c9b3
-
SHA512
14eecf96b091d9a7d3c67d83ba8a2b4eccd1afe0d69fcb503345efabb96f583f79f3d1f5f22ca845b2dccc0ac2fad9104e73ff6e86b0cb3ed51037f5c30db8bd
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhv593R8yAVp2H:+DqPe1Cxcxk3ZAE/R8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1736 mssecsvc.exe 4164 mssecsvc.exe 224 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4376 wrote to memory of 4972 4376 rundll32.exe rundll32.exe PID 4376 wrote to memory of 4972 4376 rundll32.exe rundll32.exe PID 4376 wrote to memory of 4972 4376 rundll32.exe rundll32.exe PID 4972 wrote to memory of 1736 4972 rundll32.exe mssecsvc.exe PID 4972 wrote to memory of 1736 4972 rundll32.exe mssecsvc.exe PID 4972 wrote to memory of 1736 4972 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03a5fa4484f00c7b2f7f8fb47adc5c9b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03a5fa4484f00c7b2f7f8fb47adc5c9b.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5bdbe78fe7b331fe93e189a1c2d6ef552
SHA1be26b61244742ffd6890baec18ecb554363b7261
SHA2566de52192df48d902a75efd787573c771eb799bf0aba7a32963e761fdc9114f15
SHA51284a7bf9d30f8b1eaad4f1055c91dd030474f6840c1e632aa42dbc03a29a9a173a81c7c9139db5fe2f3e30108dc24a83bcaa90988178d311c1b24450bf70e7588
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5bdbe78fe7b331fe93e189a1c2d6ef552
SHA1be26b61244742ffd6890baec18ecb554363b7261
SHA2566de52192df48d902a75efd787573c771eb799bf0aba7a32963e761fdc9114f15
SHA51284a7bf9d30f8b1eaad4f1055c91dd030474f6840c1e632aa42dbc03a29a9a173a81c7c9139db5fe2f3e30108dc24a83bcaa90988178d311c1b24450bf70e7588
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5bdbe78fe7b331fe93e189a1c2d6ef552
SHA1be26b61244742ffd6890baec18ecb554363b7261
SHA2566de52192df48d902a75efd787573c771eb799bf0aba7a32963e761fdc9114f15
SHA51284a7bf9d30f8b1eaad4f1055c91dd030474f6840c1e632aa42dbc03a29a9a173a81c7c9139db5fe2f3e30108dc24a83bcaa90988178d311c1b24450bf70e7588
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5d1168ccc82d6d7a24436ca0275e9404b
SHA1e4cd895c95323ab7bd822525939b67416cd85638
SHA256f10bef260b7b62e11575891f3c62144607a3092729a2099215b3ae2fba2a09d7
SHA5123560e420a3de4b81b6f3ae9b4aef916bcd8a7ed6a5249d7ff14abefd2c6c47d3c134fea45437b1945d875609b95fe422395244eb60ad644c115168bd356a24bf
-
memory/1736-133-0x0000000000000000-mapping.dmp
-
memory/4972-132-0x0000000000000000-mapping.dmp