Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-05-2021 03:58
Static task
static1
Behavioral task
behavioral1
Sample
da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll
Resource
win10v20210408
General
-
Target
da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll
-
Size
5.0MB
-
MD5
b7aaeb286309a92f575247014054dc9a
-
SHA1
5420861f432a03c2371cd2d38dfa7b311dc4b4b8
-
SHA256
da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c
-
SHA512
e4cfe25feb734f93b1c861ad8ae384f04d19773e4c7a081b82150b4d532ebc52c68516c6f8d6281ac32ae61b0f1689b204c541db965158fc7c1a0adf27d5cd0c
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications mssecsvc.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1" mssecsvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List mssecsvc.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2336 created 3832 2336 WerFault.exe mssecsvc.exe -
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 3832 mssecsvc.exe 856 mssecsvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2336 3832 WerFault.exe mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
mssecsvc.exemssecsvc.exeWerFault.exepid process 3832 mssecsvc.exe 3832 mssecsvc.exe 856 mssecsvc.exe 856 mssecsvc.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe 2336 WerFault.exe -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 3832 mssecsvc.exe 856 mssecsvc.exe 856 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
mssecsvc.exemssecsvc.exeWerFault.exedescription pid process Token: SeDebugPrivilege 3832 mssecsvc.exe Token: SeDebugPrivilege 856 mssecsvc.exe Token: SeRestorePrivilege 2336 WerFault.exe Token: SeBackupPrivilege 2336 WerFault.exe Token: SeDebugPrivilege 2336 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 1000 wrote to memory of 4052 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 4052 1000 rundll32.exe rundll32.exe PID 1000 wrote to memory of 4052 1000 rundll32.exe rundll32.exe PID 4052 wrote to memory of 3832 4052 rundll32.exe mssecsvc.exe PID 4052 wrote to memory of 3832 4052 rundll32.exe mssecsvc.exe PID 4052 wrote to memory of 3832 4052 rundll32.exe mssecsvc.exe PID 3832 wrote to memory of 540 3832 mssecsvc.exe winlogon.exe PID 3832 wrote to memory of 540 3832 mssecsvc.exe winlogon.exe PID 3832 wrote to memory of 540 3832 mssecsvc.exe winlogon.exe PID 3832 wrote to memory of 540 3832 mssecsvc.exe winlogon.exe PID 3832 wrote to memory of 540 3832 mssecsvc.exe winlogon.exe PID 3832 wrote to memory of 540 3832 mssecsvc.exe winlogon.exe PID 3832 wrote to memory of 624 3832 mssecsvc.exe lsass.exe PID 3832 wrote to memory of 624 3832 mssecsvc.exe lsass.exe PID 3832 wrote to memory of 624 3832 mssecsvc.exe lsass.exe PID 3832 wrote to memory of 624 3832 mssecsvc.exe lsass.exe PID 3832 wrote to memory of 624 3832 mssecsvc.exe lsass.exe PID 3832 wrote to memory of 624 3832 mssecsvc.exe lsass.exe PID 3832 wrote to memory of 708 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 708 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 708 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 708 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 708 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 708 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 716 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 716 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 716 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 716 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 716 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 716 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 724 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 724 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 724 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 724 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 724 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 724 3832 mssecsvc.exe fontdrvhost.exe PID 3832 wrote to memory of 792 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 792 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 792 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 792 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 792 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 792 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 844 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 844 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 844 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 844 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 844 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 844 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 892 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 892 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 892 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 892 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 892 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 892 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 976 3832 mssecsvc.exe dwm.exe PID 3832 wrote to memory of 976 3832 mssecsvc.exe dwm.exe PID 3832 wrote to memory of 976 3832 mssecsvc.exe dwm.exe PID 3832 wrote to memory of 976 3832 mssecsvc.exe dwm.exe PID 3832 wrote to memory of 976 3832 mssecsvc.exe dwm.exe PID 3832 wrote to memory of 976 3832 mssecsvc.exe dwm.exe PID 3832 wrote to memory of 340 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 340 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 340 3832 mssecsvc.exe svchost.exe PID 3832 wrote to memory of 340 3832 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}2⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b42⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 9965⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R2⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k rpcss1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
6081e20a243389a518cb8055bc93a948
SHA17695d90ba77b4b7c493093805ecae511da226b07
SHA2563fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740
SHA512a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f
-
C:\Windows\mssecsvc.exeMD5
6081e20a243389a518cb8055bc93a948
SHA17695d90ba77b4b7c493093805ecae511da226b07
SHA2563fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740
SHA512a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f
-
C:\Windows\mssecsvc.exeMD5
6081e20a243389a518cb8055bc93a948
SHA17695d90ba77b4b7c493093805ecae511da226b07
SHA2563fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740
SHA512a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f
-
memory/3832-115-0x0000000000000000-mapping.dmp
-
memory/3832-119-0x000000007FE90000-0x000000007FE9C000-memory.dmpFilesize
48KB
-
memory/4052-114-0x0000000000000000-mapping.dmp