wannacry | 5527e5ed8fb971e705ebfe16f68e7a1175d80bdbfa92af672223fdc556f4fa9d

General

Target

66da6bd2b703134d7b74901f8a059419.dll
Size

5.0MB
MD5

66da6bd2b703134d7b74901f8a059419
SHA1

6ccd5843205e31b34fecdc53ca8917abe70e961c
SHA256

5527e5ed8fb971e705ebfe16f68e7a1175d80bdbfa92af672223fdc556f4fa9d
SHA512

76af3d35d378a412e9e00c0baaf9897b6cfac945107f980b8768cab90e614499d724a87de05d3a6ea1195acc1eba45cfeb9ee6871b93e672c36c56fafd1d44b2

Score

10^/10

wannacry evasion ransomware worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	mssecsvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1"	mssecsvc.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4204 created 4980 4204 WerFault.exe mssecsvc.exe
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

description	pid	process	target process
PID 4204 created 4980	4204	WerFault.exe	mssecsvc.exe

ServiceHost packer 13 IoCs

Detects ServiceHost packer used for .NET malware

Processes:

resource	yara_rule
behavioral2/memory/4980-8-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-12-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-14-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-16-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-17-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-15-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-13-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-18-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-19-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-20-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-21-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-22-0x0000000000000000-mapping.dmp	servicehost
behavioral2/memory/4980-23-0x0000000000000000-mapping.dmp	servicehost

Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

4980 mssecsvc.exe
4260 mssecsvc.exe

Drops file in System32 directory 7 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Y4JFUBT6.cookie	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Y4JFUBT6.cookie	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4204 4980 WerFault.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
4204	4980	WerFault.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

mssecsvc.exemssecsvc.exeWerFault.exe

pid	process
4980	mssecsvc.exe
4980	mssecsvc.exe
4260	mssecsvc.exe
4260	mssecsvc.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe
4204	WerFault.exe

Suspicious behavior: MapViewOfSection 122 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4980	mssecsvc.exe
4260	mssecsvc.exe
4260	mssecsvc.exe
4260	mssecsvc.exe
4260	mssecsvc.exe
4260	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

mssecsvc.exemssecsvc.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4980	mssecsvc.exe
Token: SeDebugPrivilege	4260	mssecsvc.exe
Token: SeRestorePrivilege	4204	WerFault.exe
Token: SeBackupPrivilege	4204	WerFault.exe
Token: SeDebugPrivilege	4204	WerFault.exe

Suspicious use of WriteProcessMemory 738 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 4764 wrote to memory of 4920	4764	rundll32.exe	rundll32.exe
PID 4764 wrote to memory of 4920	4764	rundll32.exe	rundll32.exe
PID 4764 wrote to memory of 4920	4764	rundll32.exe	rundll32.exe
PID 4920 wrote to memory of 4980	4920	rundll32.exe	mssecsvc.exe
PID 4920 wrote to memory of 4980	4920	rundll32.exe	mssecsvc.exe
PID 4920 wrote to memory of 4980	4920	rundll32.exe	mssecsvc.exe
PID 4980 wrote to memory of 544	4980	mssecsvc.exe	winlogon.exe
PID 4980 wrote to memory of 544	4980	mssecsvc.exe	winlogon.exe
PID 4980 wrote to memory of 544	4980	mssecsvc.exe	winlogon.exe
PID 4980 wrote to memory of 544	4980	mssecsvc.exe	winlogon.exe
PID 4980 wrote to memory of 544	4980	mssecsvc.exe	winlogon.exe
PID 4980 wrote to memory of 544	4980	mssecsvc.exe	winlogon.exe
PID 4980 wrote to memory of 628	4980	mssecsvc.exe	lsass.exe
PID 4980 wrote to memory of 628	4980	mssecsvc.exe	lsass.exe
PID 4980 wrote to memory of 628	4980	mssecsvc.exe	lsass.exe
PID 4980 wrote to memory of 628	4980	mssecsvc.exe	lsass.exe
PID 4980 wrote to memory of 628	4980	mssecsvc.exe	lsass.exe
PID 4980 wrote to memory of 628	4980	mssecsvc.exe	lsass.exe
PID 4980 wrote to memory of 704	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 704	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 704	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 704	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 704	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 704	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 708	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 708	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 708	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 708	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 708	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 708	4980	mssecsvc.exe	fontdrvhost.exe
PID 4980 wrote to memory of 760	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 760	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 760	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 760	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 760	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 760	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 796	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 796	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 796	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 796	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 796	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 796	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 848	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 848	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 848	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 848	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 848	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 848	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 900	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 900	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 900	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 900	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 900	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 900	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 948	4980	mssecsvc.exe	dwm.exe
PID 4980 wrote to memory of 948	4980	mssecsvc.exe	dwm.exe
PID 4980 wrote to memory of 948	4980	mssecsvc.exe	dwm.exe
PID 4980 wrote to memory of 948	4980	mssecsvc.exe	dwm.exe
PID 4980 wrote to memory of 948	4980	mssecsvc.exe	dwm.exe
PID 4980 wrote to memory of 948	4980	mssecsvc.exe	dwm.exe
PID 4980 wrote to memory of 348	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 348	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 348	4980	mssecsvc.exe	svchost.exe
PID 4980 wrote to memory of 348	4980	mssecsvc.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:628

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1492

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b4
1⤵
PID:2488

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:2772

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:4360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2084

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3964

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3600

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3292

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2552

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66da6bd2b703134d7b74901f8a059419.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\66da6bd2b703134d7b74901f8a059419.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4920

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1232
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2920

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2404

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2392

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:4820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2292

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1868

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1832

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1480

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1440

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1144

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1120

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:940

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:348

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:4832

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:796

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:4932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:3692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:760

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:704

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:544

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3932

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
07251eabca6cea8e9cb4ad38395c3a03

SHA1
a3a786c9bc65ee4669eafa57dff21576034c5f8b

SHA256
36271570082f46c90e4f0f6045d95c5df42bdefc0f9d437983634586c8a87949

SHA512
9e0eb7d289163865ac61838b883a87b0de65b6be92fc1666f5fd9534a46f1e1cbb219a14735a4fe5b94b798e438cb0334bb9d2ebbd2b7b4c247eecbf3df88c7b

Download Submit
C:\Windows\mssecsvc.exe
MD5
07251eabca6cea8e9cb4ad38395c3a03

SHA1
a3a786c9bc65ee4669eafa57dff21576034c5f8b

SHA256
36271570082f46c90e4f0f6045d95c5df42bdefc0f9d437983634586c8a87949

SHA512
9e0eb7d289163865ac61838b883a87b0de65b6be92fc1666f5fd9534a46f1e1cbb219a14735a4fe5b94b798e438cb0334bb9d2ebbd2b7b4c247eecbf3df88c7b

Download Submit
C:\Windows\mssecsvc.exe
MD5
07251eabca6cea8e9cb4ad38395c3a03

SHA1
a3a786c9bc65ee4669eafa57dff21576034c5f8b

SHA256
36271570082f46c90e4f0f6045d95c5df42bdefc0f9d437983634586c8a87949

SHA512
9e0eb7d289163865ac61838b883a87b0de65b6be92fc1666f5fd9534a46f1e1cbb219a14735a4fe5b94b798e438cb0334bb9d2ebbd2b7b4c247eecbf3df88c7b

Download Submit
memory/4204-9-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4204-24-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4204-10-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4920-2-0x0000000000000000-mapping.dmp

Download
memory/4980-14-0x0000000000000000-mapping.dmp

Download
memory/4980-13-0x0000000000000000-mapping.dmp

Download
memory/4980-12-0x0000000000000000-mapping.dmp

Download
memory/4980-7-0x000000007FE90000-0x000000007FE9C000-memory.dmp

Filesize
48KB

Download
memory/4980-16-0x0000000000000000-mapping.dmp

Download
memory/4980-17-0x0000000000000000-mapping.dmp

Download
memory/4980-15-0x0000000000000000-mapping.dmp

Download
memory/4980-8-0x0000000000000000-mapping.dmp

Download
memory/4980-18-0x0000000000000000-mapping.dmp

Download
memory/4980-19-0x0000000000000000-mapping.dmp

Download
memory/4980-20-0x0000000000000000-mapping.dmp

Download
memory/4980-21-0x0000000000000000-mapping.dmp

Download
memory/4980-22-0x0000000000000000-mapping.dmp

Download
memory/4980-23-0x0000000000000000-mapping.dmp

Download
memory/4980-3-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads