Analysis
-
max time kernel
74s -
max time network
77s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 13:41
Static task
static1
Behavioral task
behavioral1
Sample
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
Resource
win10v2004-20220812-en
General
-
Target
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
-
Size
5.0MB
-
MD5
64f90ae0b16ad69df763d4172bf7b121
-
SHA1
cd13b94c91bcc035464c28ca953b1fca990f59d5
-
SHA256
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7
-
SHA512
4d3987cf1e8f6d19f9d7c2009a579deb4793bba89fa12087a865ab4638b20183068520e656d0573974fd8ff8cc6b555f1b6289251d0864852412b070590b88fe
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9Z:+DqPoBhz1aRxcSUDk36SAEdhvxWa9Z
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1048) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2108 mssecsvc.exe 1544 mssecsvc.exe 3384 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4324 wrote to memory of 5076 4324 rundll32.exe rundll32.exe PID 4324 wrote to memory of 5076 4324 rundll32.exe rundll32.exe PID 4324 wrote to memory of 5076 4324 rundll32.exe rundll32.exe PID 5076 wrote to memory of 2108 5076 rundll32.exe mssecsvc.exe PID 5076 wrote to memory of 2108 5076 rundll32.exe mssecsvc.exe PID 5076 wrote to memory of 2108 5076 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD504af554ac498ed9e1353a8751bee6001
SHA1077c84f26b471c1b0075490d89fdfc5de6f7b9af
SHA25684b63d5d32bdbc8570257cbd5592c37626c1808a662ad70ae8972a75b4c61158
SHA5129fb261d4f2cedd26934df9f15f9044c22beaecbe109646fd0604b615344a9be124598018844b18b4a6e279df2431dba0158c9cf566036ecbbd3681e6e97e866a
-
memory/2108-133-0x0000000000000000-mapping.dmp
-
memory/5076-132-0x0000000000000000-mapping.dmp