Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-05-2021 15:25
Static task
static1
Behavioral task
behavioral1
Sample
7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488.dll
Resource
win10v20210410
General
-
Target
7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488.dll
-
Size
5.0MB
-
MD5
17ce16bf307c1059fe2fb55c0c48a483
-
SHA1
5920ae8ad63307472a51d35d842fcf247c381b7c
-
SHA256
7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488
-
SHA512
cc8b90d12b0da5232b6122158c04f4c8d702fc833c7b13673836f111dff29bed4fadf2e2ad73524246e214eebcb06969d177c734b54b90b145f6dba8f2bff48d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1492 mssecsvc.exe 1768 mssecsvc.exe 2016 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = c059c081ab48d701 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = c059c081ab48d701 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070018000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1684 wrote to memory of 1824 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1824 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1824 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1824 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1824 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1824 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 1824 1684 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1492 1824 rundll32.exe mssecsvc.exe PID 1824 wrote to memory of 1492 1824 rundll32.exe mssecsvc.exe PID 1824 wrote to memory of 1492 1824 rundll32.exe mssecsvc.exe PID 1824 wrote to memory of 1492 1824 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fdd522945011bfd66a5c5a446cd83c36d000a9d7bfbd52f79defb9f569d8488.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1492 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2016
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1768
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
670c09c18ad4df5aa8b930a0c1e08139
SHA10e174b5eb3afbf6dcc9697b806594e4ee0233509
SHA256f3ca25648788f79556688c34040803cf9529768191337f1826c6db1eb8d74175
SHA512a89abc638b507efd2d382d828c60f15a3e9b7837a75e91512a6232ec7db439d9bfda037f040eceba215c965e75a72e4a7a1318e70a86f69d5bdaebab31edb1a9
-
C:\Windows\mssecsvc.exeMD5
670c09c18ad4df5aa8b930a0c1e08139
SHA10e174b5eb3afbf6dcc9697b806594e4ee0233509
SHA256f3ca25648788f79556688c34040803cf9529768191337f1826c6db1eb8d74175
SHA512a89abc638b507efd2d382d828c60f15a3e9b7837a75e91512a6232ec7db439d9bfda037f040eceba215c965e75a72e4a7a1318e70a86f69d5bdaebab31edb1a9
-
C:\Windows\mssecsvc.exeMD5
670c09c18ad4df5aa8b930a0c1e08139
SHA10e174b5eb3afbf6dcc9697b806594e4ee0233509
SHA256f3ca25648788f79556688c34040803cf9529768191337f1826c6db1eb8d74175
SHA512a89abc638b507efd2d382d828c60f15a3e9b7837a75e91512a6232ec7db439d9bfda037f040eceba215c965e75a72e4a7a1318e70a86f69d5bdaebab31edb1a9
-
C:\Windows\tasksche.exeMD5
1e16fd7d2fde97db36e4ea1eb44b3238
SHA122be01f932fa82f08c0d1426e44deaf8ef83d95c
SHA25631d5da4377e51cfade377deb989652edb5c0262029d8df7d0ea64a7ce25cfb21
SHA51292617e6dff208d6c9ca4e778a2ec12d33d79f4bb51d0c28275f54a2be1117e8d0f27cc6526858e63c3c3551467fc5403debeb041ba696478be4753ec697a3131
-
memory/1492-61-0x0000000000000000-mapping.dmp
-
memory/1824-59-0x0000000000000000-mapping.dmp
-
memory/1824-60-0x0000000075011000-0x0000000075013000-memory.dmpFilesize
8KB