Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
526f83cfa2794470c0b323518daf0de0.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
526f83cfa2794470c0b323518daf0de0.dll
Resource
win10v2004-20220812-en
General
-
Target
526f83cfa2794470c0b323518daf0de0.dll
-
Size
5.0MB
-
MD5
526f83cfa2794470c0b323518daf0de0
-
SHA1
959e822a1d78eb6c48a7cd6f4f979e97b8eb27db
-
SHA256
f04d3056f82bae71b9e809c5c620f4f2d08857a1dbf0866a13269203cef171ac
-
SHA512
b25b06ee50ca1aeb3a45de6a8ac777888532bec41b4266e4766a704ef3d7e0f15e91af832170ed6a1ccd28a491be7d0e35f7aaea1ec09182ed2d03adedfddef4
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhv8P593R8yAVp2H:TDqPe1Cxcxk3ZAEyzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3049) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2468 mssecsvc.exe 264 mssecsvc.exe 4892 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4728 wrote to memory of 644 4728 rundll32.exe rundll32.exe PID 4728 wrote to memory of 644 4728 rundll32.exe rundll32.exe PID 4728 wrote to memory of 644 4728 rundll32.exe rundll32.exe PID 644 wrote to memory of 2468 644 rundll32.exe mssecsvc.exe PID 644 wrote to memory of 2468 644 rundll32.exe mssecsvc.exe PID 644 wrote to memory of 2468 644 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\526f83cfa2794470c0b323518daf0de0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\526f83cfa2794470c0b323518daf0de0.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5f12b69c504464cc5443eb5ced38b690b
SHA140d08fe240c6dca35bab10eb630397919a9b5a88
SHA25678bbe4a65e13a06df5ae05c158aeec7c0ed7883a62261a25c63673c600047d4c
SHA512be9e2fa92d379baa6cb92dd064ffd1c6c3ce360f75adcbe205aebb2c112d14b88da834d94b21bc2007aecff12d2eb04f378d80eb21be4563093121702ec70c5c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f12b69c504464cc5443eb5ced38b690b
SHA140d08fe240c6dca35bab10eb630397919a9b5a88
SHA25678bbe4a65e13a06df5ae05c158aeec7c0ed7883a62261a25c63673c600047d4c
SHA512be9e2fa92d379baa6cb92dd064ffd1c6c3ce360f75adcbe205aebb2c112d14b88da834d94b21bc2007aecff12d2eb04f378d80eb21be4563093121702ec70c5c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f12b69c504464cc5443eb5ced38b690b
SHA140d08fe240c6dca35bab10eb630397919a9b5a88
SHA25678bbe4a65e13a06df5ae05c158aeec7c0ed7883a62261a25c63673c600047d4c
SHA512be9e2fa92d379baa6cb92dd064ffd1c6c3ce360f75adcbe205aebb2c112d14b88da834d94b21bc2007aecff12d2eb04f378d80eb21be4563093121702ec70c5c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD571cb28d82d822b74b5dabe0e7d08fb04
SHA1d9eb8751973dfb933c2c481e2205a47970e3f461
SHA2563e4b13d1d3ac51041a7e8301c55f421545265d013fa9b0b6aa1aecf736fff735
SHA51223a196afad2996e7fe6fb3305637fee476fff312f7554aefca3c098922fb3c44d9568a8d49c4d821fb81e95acc75debafd2f37b6208034a4497016afc2bb0210
-
memory/644-132-0x0000000000000000-mapping.dmp
-
memory/2468-133-0x0000000000000000-mapping.dmp