Analysis
-
max time kernel
150s -
max time network
200s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
15-05-2021 11:19
Static task
static1
Behavioral task
behavioral1
Sample
b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll
Resource
win10v20210410
General
-
Target
b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll
-
Size
5.0MB
-
MD5
17464a712d66c4dc954e392394f920dd
-
SHA1
45fd965dc3e2a325c1f132f1f30e38ce1d89d44e
-
SHA256
b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5
-
SHA512
fc97ea8fc0f99c1f15673f2e3d01f39db44f3c5cf35e82b4baca1b503a2684688830d30cc73345b816ddc10ce870c2f69471765630a37ccb843afd352eb3f7d2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1380 mssecsvc.exe 1528 mssecsvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-88-93-6a-6c-49\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-88-93-6a-6c-49\WpadDecisionTime = d0d6c87bc049d701 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-88-93-6a-6c-49\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadDecisionTime = d0d6c87bc049d701 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\WpadNetworkName = "Network" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7}\4a-88-93-6a-6c-49 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A33DB50-CC69-497D-AB93-6EAB524EB9A7} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-88-93-6a-6c-49 mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1380 mssecsvc.exe 1528 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 46 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1380 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe 1528 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 1380 mssecsvc.exe Token: SeDebugPrivilege 1528 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 1876 wrote to memory of 1060 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1060 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1060 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1060 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1060 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1060 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1060 1876 rundll32.exe rundll32.exe PID 1060 wrote to memory of 1380 1060 rundll32.exe mssecsvc.exe PID 1060 wrote to memory of 1380 1060 rundll32.exe mssecsvc.exe PID 1060 wrote to memory of 1380 1060 rundll32.exe mssecsvc.exe PID 1060 wrote to memory of 1380 1060 rundll32.exe mssecsvc.exe PID 1380 wrote to memory of 368 1380 mssecsvc.exe wininit.exe PID 1380 wrote to memory of 368 1380 mssecsvc.exe wininit.exe PID 1380 wrote to memory of 368 1380 mssecsvc.exe wininit.exe PID 1380 wrote to memory of 368 1380 mssecsvc.exe wininit.exe PID 1380 wrote to memory of 368 1380 mssecsvc.exe wininit.exe PID 1380 wrote to memory of 368 1380 mssecsvc.exe wininit.exe PID 1380 wrote to memory of 368 1380 mssecsvc.exe wininit.exe PID 1380 wrote to memory of 376 1380 mssecsvc.exe csrss.exe PID 1380 wrote to memory of 376 1380 mssecsvc.exe csrss.exe PID 1380 wrote to memory of 376 1380 mssecsvc.exe csrss.exe PID 1380 wrote to memory of 376 1380 mssecsvc.exe csrss.exe PID 1380 wrote to memory of 376 1380 mssecsvc.exe csrss.exe PID 1380 wrote to memory of 376 1380 mssecsvc.exe csrss.exe PID 1380 wrote to memory of 376 1380 mssecsvc.exe csrss.exe PID 1380 wrote to memory of 416 1380 mssecsvc.exe winlogon.exe PID 1380 wrote to memory of 416 1380 mssecsvc.exe winlogon.exe PID 1380 wrote to memory of 416 1380 mssecsvc.exe winlogon.exe PID 1380 wrote to memory of 416 1380 mssecsvc.exe winlogon.exe PID 1380 wrote to memory of 416 1380 mssecsvc.exe winlogon.exe PID 1380 wrote to memory of 416 1380 mssecsvc.exe winlogon.exe PID 1380 wrote to memory of 416 1380 mssecsvc.exe winlogon.exe PID 1380 wrote to memory of 460 1380 mssecsvc.exe services.exe PID 1380 wrote to memory of 460 1380 mssecsvc.exe services.exe PID 1380 wrote to memory of 460 1380 mssecsvc.exe services.exe PID 1380 wrote to memory of 460 1380 mssecsvc.exe services.exe PID 1380 wrote to memory of 460 1380 mssecsvc.exe services.exe PID 1380 wrote to memory of 460 1380 mssecsvc.exe services.exe PID 1380 wrote to memory of 460 1380 mssecsvc.exe services.exe PID 1380 wrote to memory of 476 1380 mssecsvc.exe lsass.exe PID 1380 wrote to memory of 476 1380 mssecsvc.exe lsass.exe PID 1380 wrote to memory of 476 1380 mssecsvc.exe lsass.exe PID 1380 wrote to memory of 476 1380 mssecsvc.exe lsass.exe PID 1380 wrote to memory of 476 1380 mssecsvc.exe lsass.exe PID 1380 wrote to memory of 476 1380 mssecsvc.exe lsass.exe PID 1380 wrote to memory of 476 1380 mssecsvc.exe lsass.exe PID 1380 wrote to memory of 484 1380 mssecsvc.exe lsm.exe PID 1380 wrote to memory of 484 1380 mssecsvc.exe lsm.exe PID 1380 wrote to memory of 484 1380 mssecsvc.exe lsm.exe PID 1380 wrote to memory of 484 1380 mssecsvc.exe lsm.exe PID 1380 wrote to memory of 484 1380 mssecsvc.exe lsm.exe PID 1380 wrote to memory of 484 1380 mssecsvc.exe lsm.exe PID 1380 wrote to memory of 484 1380 mssecsvc.exe lsm.exe PID 1380 wrote to memory of 584 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 584 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 584 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 584 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 584 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 584 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 584 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 660 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 660 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 660 1380 mssecsvc.exe svchost.exe PID 1380 wrote to memory of 660 1380 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding3⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b16646ff78586a4be0c309470413db9f9317a1f1548c8482af802d9273e69ef5.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\MSSECSVC.EXEMD5
ccca5e8df7b968fc829edca79c129d35
SHA1f8c88dc2f0e2fea59df40322df4c6b5bf7513ab3
SHA2565b16162218e51f2661bc42706c1dd083e3f919ca754d6fe2acda57ad4b1299ae
SHA5121a26bbad4b23d11ce1afa099d41d737682e2bf08c0bad7f98644a9af8b58d6e5562ed59e4793c2e64ab0e4785eaf9e2f2e2fd799d906de4598a61bb301836d82
-
C:\Windows\mssecsvc.exeMD5
ccca5e8df7b968fc829edca79c129d35
SHA1f8c88dc2f0e2fea59df40322df4c6b5bf7513ab3
SHA2565b16162218e51f2661bc42706c1dd083e3f919ca754d6fe2acda57ad4b1299ae
SHA5121a26bbad4b23d11ce1afa099d41d737682e2bf08c0bad7f98644a9af8b58d6e5562ed59e4793c2e64ab0e4785eaf9e2f2e2fd799d906de4598a61bb301836d82
-
C:\Windows\mssecsvc.exeMD5
ccca5e8df7b968fc829edca79c129d35
SHA1f8c88dc2f0e2fea59df40322df4c6b5bf7513ab3
SHA2565b16162218e51f2661bc42706c1dd083e3f919ca754d6fe2acda57ad4b1299ae
SHA5121a26bbad4b23d11ce1afa099d41d737682e2bf08c0bad7f98644a9af8b58d6e5562ed59e4793c2e64ab0e4785eaf9e2f2e2fd799d906de4598a61bb301836d82
-
memory/1060-59-0x0000000000000000-mapping.dmp
-
memory/1060-60-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1380-61-0x0000000000000000-mapping.dmp
-
memory/1380-67-0x000000007EF80000-0x000000007EF8C000-memory.dmpFilesize
48KB