Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-05-2021 05:25
Static task
static1
Behavioral task
behavioral1
Sample
0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430.dll
Resource
win10v20210408
General
-
Target
0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430.dll
-
Size
5.0MB
-
MD5
e9c7680e62b429a453a356c6429f9c03
-
SHA1
913133219bbba14cc87de4b658fe68e35a3dd334
-
SHA256
0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430
-
SHA512
9d3dc06ab6ab25ce0c52231387041fc54654965d16daf5fc84cbec565b55e234a0a657871107d8225e52a9ed44bd8b88f7ab7564f1d1617dd9c69cc423483341
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1144 mssecsvc.exe 1700 mssecsvc.exe 1432 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 2059cb8e7f49d701 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 2059cb8e7f49d701 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1076 wrote to memory of 2016 1076 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2016 1076 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2016 1076 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2016 1076 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2016 1076 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2016 1076 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2016 1076 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1144 2016 rundll32.exe mssecsvc.exe PID 2016 wrote to memory of 1144 2016 rundll32.exe mssecsvc.exe PID 2016 wrote to memory of 1144 2016 rundll32.exe mssecsvc.exe PID 2016 wrote to memory of 1144 2016 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c5a3842bc700487dc0cc86f05a2ed74d2c65435f121804391f2762de225e430.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
1dbe1609bf23cfcf9f66c175396b7e21
SHA16ef0c7055ee2e098d123d632ee0790b8c804411c
SHA25626e1b1b49f9ea6c2f6243888788bbd8b948c92b21276133e14bef362cdb02368
SHA51207e6702f849ccdb4248c1b4bfcfed6cdc08f6afb24818f90746139096ac718f4ce3f57157d97cde0da33ab7eb63af44fb3567e8a180805b49e172449fe5b0dac
-
C:\Windows\mssecsvc.exeMD5
1dbe1609bf23cfcf9f66c175396b7e21
SHA16ef0c7055ee2e098d123d632ee0790b8c804411c
SHA25626e1b1b49f9ea6c2f6243888788bbd8b948c92b21276133e14bef362cdb02368
SHA51207e6702f849ccdb4248c1b4bfcfed6cdc08f6afb24818f90746139096ac718f4ce3f57157d97cde0da33ab7eb63af44fb3567e8a180805b49e172449fe5b0dac
-
C:\Windows\mssecsvc.exeMD5
1dbe1609bf23cfcf9f66c175396b7e21
SHA16ef0c7055ee2e098d123d632ee0790b8c804411c
SHA25626e1b1b49f9ea6c2f6243888788bbd8b948c92b21276133e14bef362cdb02368
SHA51207e6702f849ccdb4248c1b4bfcfed6cdc08f6afb24818f90746139096ac718f4ce3f57157d97cde0da33ab7eb63af44fb3567e8a180805b49e172449fe5b0dac
-
C:\Windows\tasksche.exeMD5
d1f42f6f1b7380c6128ddf67aee4d195
SHA15d53c8395f3abb2676a2f24258b0a2352c7dcc69
SHA25669ba8661b9f79de83a7b47a261660e6d692d75283a7fcc68825bddf9494822c9
SHA512bc0087f30114fdc46d2345fd1e416d767baad937bdb2424878d7d7e04cda11e2c90e546018e0799ca062f66fe51bcc48b9cac60eb3b7a8da6517554fcd4f3fd7
-
memory/1144-62-0x0000000000000000-mapping.dmp
-
memory/2016-60-0x0000000000000000-mapping.dmp
-
memory/2016-61-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB