Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-06-2022 04:54
Static task
static1
Behavioral task
behavioral1
Sample
276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c.dll
Resource
win10v2004-20220414-en
General
-
Target
276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c.dll
-
Size
5.0MB
-
MD5
cb99dbcc738243976831a1a5af249010
-
SHA1
11b3de1c41e9d87610011145d0f81eeb5c44a8ca
-
SHA256
276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c
-
SHA512
3a24cb1d1fcf846efa62c458eabef31368a5fab5470ba3902e7e377524607a250be5aa0ecd1d46f08cb3754344edb87d4185e9c0cf9a2d0282b40b18effe447e
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1812 mssecsvc.exe 1364 mssecsvc.exe 872 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecisionTime = a0b8b6375381d801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadNetworkName = "Network 2" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\22-c1-b6-ea-72-f2 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecisionTime = a0b8b6375381d801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0099000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1612 wrote to memory of 1304 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1304 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1304 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1304 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1304 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1304 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1304 1612 rundll32.exe rundll32.exe PID 1304 wrote to memory of 1812 1304 rundll32.exe mssecsvc.exe PID 1304 wrote to memory of 1812 1304 rundll32.exe mssecsvc.exe PID 1304 wrote to memory of 1812 1304 rundll32.exe mssecsvc.exe PID 1304 wrote to memory of 1812 1304 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\276c1f2820466b60541694851bd5546b5c109e04fa6c99822f2649d89f970b5c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1812 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:872
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1364
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51c2cbf9b0ccb996cd409d5e04f984c8b
SHA1b917edbc6195f05bd90f018304a5801b4ca24592
SHA256780a9129e626c4867bc6534ad94aca8f52a904b25f840f3ffdba03258d23cfc2
SHA51230a91b10aa74ad5a1f293364fce07ba9ac031b5fc5ea3798de02593f1eb9fbf1147a847b2ad0fc7cd59d428cabd3f261b06bd1e8676f137b30b81b75fd87248a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51c2cbf9b0ccb996cd409d5e04f984c8b
SHA1b917edbc6195f05bd90f018304a5801b4ca24592
SHA256780a9129e626c4867bc6534ad94aca8f52a904b25f840f3ffdba03258d23cfc2
SHA51230a91b10aa74ad5a1f293364fce07ba9ac031b5fc5ea3798de02593f1eb9fbf1147a847b2ad0fc7cd59d428cabd3f261b06bd1e8676f137b30b81b75fd87248a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a3237e084ef19e3276e890d4c407c394
SHA150c0a4b38fb2d8f9ca5cbc70a40e8f0f29eb98e6
SHA256545e161df72ba71155cfb65abbefb621ee54317593cfe5ce586794112185b2da
SHA5122bfa2262d440c88a2fcd232df61d33cdfc89acde14980bcfaf1c646b1fcad18a44170b1f700604bea9d6940bee33998b27e1cde91385c36df2ef7390bb8792da
-
memory/1304-54-0x0000000000000000-mapping.dmp
-
memory/1304-55-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1812-56-0x0000000000000000-mapping.dmp