Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-05-2021 05:37
Static task
static1
Behavioral task
behavioral1
Sample
b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908.dll
Resource
win10v20210410
General
-
Target
b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908.dll
-
Size
5.0MB
-
MD5
ee9ca4f8f8ed58d719013d25637dcab5
-
SHA1
42255a42373c52680110d6093a9130f2cfc0060e
-
SHA256
b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908
-
SHA512
9dbe2f7604d2fd15e9c39f9fd65b77b23402134614f7840e9d9e6b04d811585cc841c54d902f5b041f369ee91f2396aa6dcdbb0d0181f527baf99571a07a301a
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1284 mssecsvc.exe 1704 mssecsvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = e096c2e99c4ad701 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = e096c2e99c4ad701 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1284 mssecsvc.exe 1704 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 40 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1284 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe 1704 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 1284 mssecsvc.exe Token: SeDebugPrivilege 1704 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 1056 wrote to memory of 2000 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 2000 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 2000 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 2000 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 2000 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 2000 1056 rundll32.exe rundll32.exe PID 1056 wrote to memory of 2000 1056 rundll32.exe rundll32.exe PID 2000 wrote to memory of 1284 2000 rundll32.exe mssecsvc.exe PID 2000 wrote to memory of 1284 2000 rundll32.exe mssecsvc.exe PID 2000 wrote to memory of 1284 2000 rundll32.exe mssecsvc.exe PID 2000 wrote to memory of 1284 2000 rundll32.exe mssecsvc.exe PID 1284 wrote to memory of 372 1284 mssecsvc.exe wininit.exe PID 1284 wrote to memory of 372 1284 mssecsvc.exe wininit.exe PID 1284 wrote to memory of 372 1284 mssecsvc.exe wininit.exe PID 1284 wrote to memory of 372 1284 mssecsvc.exe wininit.exe PID 1284 wrote to memory of 372 1284 mssecsvc.exe wininit.exe PID 1284 wrote to memory of 372 1284 mssecsvc.exe wininit.exe PID 1284 wrote to memory of 372 1284 mssecsvc.exe wininit.exe PID 1284 wrote to memory of 384 1284 mssecsvc.exe csrss.exe PID 1284 wrote to memory of 384 1284 mssecsvc.exe csrss.exe PID 1284 wrote to memory of 384 1284 mssecsvc.exe csrss.exe PID 1284 wrote to memory of 384 1284 mssecsvc.exe csrss.exe PID 1284 wrote to memory of 384 1284 mssecsvc.exe csrss.exe PID 1284 wrote to memory of 384 1284 mssecsvc.exe csrss.exe PID 1284 wrote to memory of 384 1284 mssecsvc.exe csrss.exe PID 1284 wrote to memory of 420 1284 mssecsvc.exe winlogon.exe PID 1284 wrote to memory of 420 1284 mssecsvc.exe winlogon.exe PID 1284 wrote to memory of 420 1284 mssecsvc.exe winlogon.exe PID 1284 wrote to memory of 420 1284 mssecsvc.exe winlogon.exe PID 1284 wrote to memory of 420 1284 mssecsvc.exe winlogon.exe PID 1284 wrote to memory of 420 1284 mssecsvc.exe winlogon.exe PID 1284 wrote to memory of 420 1284 mssecsvc.exe winlogon.exe PID 1284 wrote to memory of 464 1284 mssecsvc.exe services.exe PID 1284 wrote to memory of 464 1284 mssecsvc.exe services.exe PID 1284 wrote to memory of 464 1284 mssecsvc.exe services.exe PID 1284 wrote to memory of 464 1284 mssecsvc.exe services.exe PID 1284 wrote to memory of 464 1284 mssecsvc.exe services.exe PID 1284 wrote to memory of 464 1284 mssecsvc.exe services.exe PID 1284 wrote to memory of 464 1284 mssecsvc.exe services.exe PID 1284 wrote to memory of 480 1284 mssecsvc.exe lsass.exe PID 1284 wrote to memory of 480 1284 mssecsvc.exe lsass.exe PID 1284 wrote to memory of 480 1284 mssecsvc.exe lsass.exe PID 1284 wrote to memory of 480 1284 mssecsvc.exe lsass.exe PID 1284 wrote to memory of 480 1284 mssecsvc.exe lsass.exe PID 1284 wrote to memory of 480 1284 mssecsvc.exe lsass.exe PID 1284 wrote to memory of 480 1284 mssecsvc.exe lsass.exe PID 1284 wrote to memory of 488 1284 mssecsvc.exe lsm.exe PID 1284 wrote to memory of 488 1284 mssecsvc.exe lsm.exe PID 1284 wrote to memory of 488 1284 mssecsvc.exe lsm.exe PID 1284 wrote to memory of 488 1284 mssecsvc.exe lsm.exe PID 1284 wrote to memory of 488 1284 mssecsvc.exe lsm.exe PID 1284 wrote to memory of 488 1284 mssecsvc.exe lsm.exe PID 1284 wrote to memory of 488 1284 mssecsvc.exe lsm.exe PID 1284 wrote to memory of 588 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 588 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 588 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 588 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 588 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 588 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 588 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 664 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 664 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 664 1284 mssecsvc.exe svchost.exe PID 1284 wrote to memory of 664 1284 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b844461a7d4106ec8be10206c0e79202abb15f58455437da042191ecd456f908.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\MSSECSVC.EXEMD5
25fd0251076e9423c2c43bef610980a6
SHA1f53d9047fd3d53579123beab0491c7c4b31638d7
SHA256e9f2e27814b1c31dafeca36811c54e710daa2f768041d380d80af8f1d201a15b
SHA51229bd21974e55ba6c85a142d750ecfef78a43b1980a0674b02c297ed4491620b69cdf6152cb4f6144ddfad361c6c642e39892e49b1fb8544e22053ccc5960d295
-
C:\Windows\mssecsvc.exeMD5
25fd0251076e9423c2c43bef610980a6
SHA1f53d9047fd3d53579123beab0491c7c4b31638d7
SHA256e9f2e27814b1c31dafeca36811c54e710daa2f768041d380d80af8f1d201a15b
SHA51229bd21974e55ba6c85a142d750ecfef78a43b1980a0674b02c297ed4491620b69cdf6152cb4f6144ddfad361c6c642e39892e49b1fb8544e22053ccc5960d295
-
C:\Windows\mssecsvc.exeMD5
25fd0251076e9423c2c43bef610980a6
SHA1f53d9047fd3d53579123beab0491c7c4b31638d7
SHA256e9f2e27814b1c31dafeca36811c54e710daa2f768041d380d80af8f1d201a15b
SHA51229bd21974e55ba6c85a142d750ecfef78a43b1980a0674b02c297ed4491620b69cdf6152cb4f6144ddfad361c6c642e39892e49b1fb8544e22053ccc5960d295
-
memory/1284-61-0x0000000000000000-mapping.dmp
-
memory/1284-67-0x000000007EF70000-0x000000007EF7C000-memory.dmpFilesize
48KB
-
memory/2000-59-0x0000000000000000-mapping.dmp
-
memory/2000-60-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB