Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-06-2022 19:56
Static task
static1
Behavioral task
behavioral1
Sample
34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll
Resource
win10v2004-20220414-en
General
-
Target
34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll
-
Size
5.0MB
-
MD5
ab02e31aa2a8ea6eecc684bfa2e3c185
-
SHA1
6665249de09b0900743d45e141c0ec186d2e00b2
-
SHA256
34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12
-
SHA512
b3b8f69b5ee03890c41a4619d50dc3bcb569b5921395b226f52f790a53b553006e9ac9be417667a31664443bf7bf6cb0928c63873ffab4267268938afa6923b0
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (1066) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 944 mssecsvc.exe 1184 mssecsvc.exe 1200 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-41-59-f1-3e-c3 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-41-59-f1-3e-c3\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-41-59-f1-3e-c3\WpadDecisionTime = 705b26912884d801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0DBDAA4-B0C9-4591-85F5-2DF8CD6D2D7D}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f005e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0DBDAA4-B0C9-4591-85F5-2DF8CD6D2D7D} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-41-59-f1-3e-c3\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0DBDAA4-B0C9-4591-85F5-2DF8CD6D2D7D}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0DBDAA4-B0C9-4591-85F5-2DF8CD6D2D7D}\2e-41-59-f1-3e-c3 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0DBDAA4-B0C9-4591-85F5-2DF8CD6D2D7D}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B0DBDAA4-B0C9-4591-85F5-2DF8CD6D2D7D}\WpadDecisionTime = 705b26912884d801 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2004 wrote to memory of 1208 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1208 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1208 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1208 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1208 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1208 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1208 2004 rundll32.exe rundll32.exe PID 1208 wrote to memory of 944 1208 rundll32.exe mssecsvc.exe PID 1208 wrote to memory of 944 1208 rundll32.exe mssecsvc.exe PID 1208 wrote to memory of 944 1208 rundll32.exe mssecsvc.exe PID 1208 wrote to memory of 944 1208 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5944dcb3668f571b7156dd18f924438fc
SHA1aed293f799bcda119e84d176406d442f04f8433a
SHA25697d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825
SHA5122ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5944dcb3668f571b7156dd18f924438fc
SHA1aed293f799bcda119e84d176406d442f04f8433a
SHA25697d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825
SHA5122ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5944dcb3668f571b7156dd18f924438fc
SHA1aed293f799bcda119e84d176406d442f04f8433a
SHA25697d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825
SHA5122ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55914e52020bf8dcc1832e5864c85b531
SHA115fc8b4e98241605e9cadf84801d6e573d6495da
SHA25667952d1154d57ae8272db63f8f746c11763008332420737da6db50c81b018ec8
SHA51253a2a4f3f09c137cc348a1126e805a471965fd24a58df081fd79f6de10fcd2d4ba7637139664ff6c5df119762f602b531c5e7f0d74410bdcfd3cc23193d86ed3
-
memory/944-56-0x0000000000000000-mapping.dmp
-
memory/1208-54-0x0000000000000000-mapping.dmp
-
memory/1208-55-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB