Analysis
-
max time kernel
183s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2022 03:41
Static task
static1
Behavioral task
behavioral1
Sample
495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c.dll
Resource
win10v2004-20220812-en
General
-
Target
495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c.dll
-
Size
5.0MB
-
MD5
a51beb6c0ac1650cc9161d77a7b4ffe4
-
SHA1
140e7d3e026ed3e9372630792966943cafdf7d8c
-
SHA256
495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c
-
SHA512
6c319dc91ebb2f1808bb9e7eb3ee1beaa5357e334250802ac173fd73bbca267160b2bfac6db13b4468868b7ed05fd0e34baad54c2bb540140296d9ddb10e6030
-
SSDEEP
24576:ubLgurgDdmMSirYbcMNgef0QeQjG/D8kIqYmiHkQg65ASk+RdhAdmvctA0p+9XEk:unsEMSPbcBVQej/s1HkQrAARdhnvoAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (758) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 4256 mssecsvr.exe 2812 mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3844 wrote to memory of 4400 3844 rundll32.exe rundll32.exe PID 3844 wrote to memory of 4400 3844 rundll32.exe rundll32.exe PID 3844 wrote to memory of 4400 3844 rundll32.exe rundll32.exe PID 4400 wrote to memory of 4256 4400 rundll32.exe mssecsvr.exe PID 4400 wrote to memory of 4256 4400 rundll32.exe mssecsvr.exe PID 4400 wrote to memory of 4256 4400 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\495956157d35d72a276365fab6b4ec6387b2552d67444227dd4e1ade8336156c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
3.6MB
MD5b9d9625066a34cc108ca55ea141c624a
SHA14f51a129f39bb40a84f004997ceac9c6ac3fcd36
SHA256363392deccfedda47ab0c639ffb37d5ebedb3218448ba1a8b80349382e3d2b00
SHA51263fc7643dbae65c8996b8d3713c218703f542b7add86f260e6760c4601809c79a1a750fe7291bac3c8e0e822792923277cfcf7e6e1b195c4843638014219da0b
-
C:\Windows\mssecsvr.exeFilesize
3.6MB
MD5b9d9625066a34cc108ca55ea141c624a
SHA14f51a129f39bb40a84f004997ceac9c6ac3fcd36
SHA256363392deccfedda47ab0c639ffb37d5ebedb3218448ba1a8b80349382e3d2b00
SHA51263fc7643dbae65c8996b8d3713c218703f542b7add86f260e6760c4601809c79a1a750fe7291bac3c8e0e822792923277cfcf7e6e1b195c4843638014219da0b
-
C:\Windows\mssecsvr.exeFilesize
3.6MB
MD5b9d9625066a34cc108ca55ea141c624a
SHA14f51a129f39bb40a84f004997ceac9c6ac3fcd36
SHA256363392deccfedda47ab0c639ffb37d5ebedb3218448ba1a8b80349382e3d2b00
SHA51263fc7643dbae65c8996b8d3713c218703f542b7add86f260e6760c4601809c79a1a750fe7291bac3c8e0e822792923277cfcf7e6e1b195c4843638014219da0b
-
memory/4256-133-0x0000000000000000-mapping.dmp
-
memory/4400-132-0x0000000000000000-mapping.dmp