Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-01-2021 10:20
Static task
static1
Behavioral task
behavioral1
Sample
00bc02b91a3850390e977e4b75f1f84f.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
00bc02b91a3850390e977e4b75f1f84f.dll
Resource
win10v20201028
General
-
Target
00bc02b91a3850390e977e4b75f1f84f.dll
-
Size
5.0MB
-
MD5
00bc02b91a3850390e977e4b75f1f84f
-
SHA1
73240c616134f1830a0ab8dd565284d92e238333
-
SHA256
88489f32a5e8521eb18fc390aac403c729fccb579e5b23307ca487ec7c724ce1
-
SHA512
7baaf5578589f6881334868c1c7a4739a7e2294cef4967f10db20d9280dff2379b0977c6bec9d7c57b50df0e064a71d9df7be39ce48605a5c32b868e927667a5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 812 mssecsvc.exe 1604 mssecsvc.exe 2460 tasksche.exe -
Drops file in System32 directory 7 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\4BFFKA4A.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\4BFFKA4A.cookie mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 3736 AcroRd32.exe 3736 AcroRd32.exe 3736 AcroRd32.exe 3736 AcroRd32.exe -
Suspicious use of WriteProcessMemory 216 IoCs
Processes:
rundll32.exerundll32.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 984 wrote to memory of 3900 984 rundll32.exe rundll32.exe PID 984 wrote to memory of 3900 984 rundll32.exe rundll32.exe PID 984 wrote to memory of 3900 984 rundll32.exe rundll32.exe PID 3900 wrote to memory of 812 3900 rundll32.exe mssecsvc.exe PID 3900 wrote to memory of 812 3900 rundll32.exe mssecsvc.exe PID 3900 wrote to memory of 812 3900 rundll32.exe mssecsvc.exe PID 3736 wrote to memory of 3856 3736 AcroRd32.exe RdrCEF.exe PID 3736 wrote to memory of 3856 3736 AcroRd32.exe RdrCEF.exe PID 3736 wrote to memory of 3856 3736 AcroRd32.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3992 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe PID 3856 wrote to memory of 3620 3856 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00bc02b91a3850390e977e4b75f1f84f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\00bc02b91a3850390e977e4b75f1f84f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6EF92534DF9374E2DB9505BE8B150A1C --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AA5C11C524EA84599547E26BCD2D088B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AA5C11C524EA84599547E26BCD2D088B --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:13⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50D7F3F481BA536D0694530263C74E71 --mojo-platform-channel-handle=2232 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6AC02D31CD9AE819430C9A99459516A7 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27CFF21EEBD6FB9ABFAC8F1A5ED0E185 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
8d9a4207429d7e829dc91955a1694d7e
SHA107f3c64ff5c68b3eafa417dab76c989fc9fff171
SHA25617e5e0d52f4de23d3195ec2d93d366fefc7e59b6b20f71df12e7218313163da2
SHA51298c5d9fd1a665446e8a443ed8d60cb250924386ce2d24d7501ec3b2d292240122a8916af1860d5d689177f582890226286ed8f0ed4e8cec5db2d024d8a88d70b
-
C:\Windows\mssecsvc.exeMD5
8d9a4207429d7e829dc91955a1694d7e
SHA107f3c64ff5c68b3eafa417dab76c989fc9fff171
SHA25617e5e0d52f4de23d3195ec2d93d366fefc7e59b6b20f71df12e7218313163da2
SHA51298c5d9fd1a665446e8a443ed8d60cb250924386ce2d24d7501ec3b2d292240122a8916af1860d5d689177f582890226286ed8f0ed4e8cec5db2d024d8a88d70b
-
C:\Windows\mssecsvc.exeMD5
8d9a4207429d7e829dc91955a1694d7e
SHA107f3c64ff5c68b3eafa417dab76c989fc9fff171
SHA25617e5e0d52f4de23d3195ec2d93d366fefc7e59b6b20f71df12e7218313163da2
SHA51298c5d9fd1a665446e8a443ed8d60cb250924386ce2d24d7501ec3b2d292240122a8916af1860d5d689177f582890226286ed8f0ed4e8cec5db2d024d8a88d70b
-
C:\Windows\tasksche.exeMD5
741b6e8f838fd37cdf0431551432b0e7
SHA11a480f81cb2308c28b3eaee24e04ef133ff2e41e
SHA2563a4a89b71005c5233e592cc20d6fd06b21aeca3415554390e4365bb76eade469
SHA5120e12d88c40ee38d717a8501bf67f63885afef54328105f4337d59c516f5a3f562e4fa4f7ec54e9afffa04a402918699c33b8d2ccc76b8e5c60c76de4d0fd9cac
-
memory/812-3-0x0000000000000000-mapping.dmp
-
memory/1596-21-0x0000000000000000-mapping.dmp
-
memory/1596-20-0x0000000077132000-0x000000007713200C-memory.dmpFilesize
12B
-
memory/2728-24-0x0000000000000000-mapping.dmp
-
memory/2728-23-0x0000000077132000-0x000000007713200C-memory.dmpFilesize
12B
-
memory/3156-18-0x0000000000000000-mapping.dmp
-
memory/3156-17-0x0000000077132000-0x000000007713200C-memory.dmpFilesize
12B
-
memory/3620-13-0x0000000000000000-mapping.dmp
-
memory/3620-12-0x0000000077132000-0x000000007713200C-memory.dmpFilesize
12B
-
memory/3856-8-0x0000000000000000-mapping.dmp
-
memory/3900-2-0x0000000000000000-mapping.dmp
-
memory/3992-10-0x0000000000000000-mapping.dmp
-
memory/3992-9-0x0000000077132000-0x000000007713200C-memory.dmpFilesize
12B