Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-06-2022 23:30
Static task
static1
Behavioral task
behavioral1
Sample
314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b.dll
Resource
win10v2004-20220414-en
General
-
Target
314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b.dll
-
Size
5.0MB
-
MD5
b3fcc20dffa1033a5e3ce437f38f6e02
-
SHA1
fb0a472b6a360834e603385283d1780d1eda050a
-
SHA256
314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b
-
SHA512
8979a5a95ec1aa841c9cafbc75990c3a6b426fad4fd1a348d3ce793d733911d76216c7b3ae8645a197439b2af69b596718f5c6c9f7edeb70268157400809d178
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (1255) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1732 mssecsvc.exe 1076 mssecsvc.exe 1200 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{64EE1453-A8B5-4E12-A74A-1B6353A25994}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{64EE1453-A8B5-4E12-A74A-1B6353A25994}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{64EE1453-A8B5-4E12-A74A-1B6353A25994}\3e-82-89-6a-71-60 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-82-89-6a-71-60\WpadDecisionTime = a038b6940e85d801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{64EE1453-A8B5-4E12-A74A-1B6353A25994}\WpadDecisionTime = a038b6940e85d801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{64EE1453-A8B5-4E12-A74A-1B6353A25994} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{64EE1453-A8B5-4E12-A74A-1B6353A25994}\WpadNetworkName = "Network 2" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-82-89-6a-71-60 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-82-89-6a-71-60\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-82-89-6a-71-60\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1516 wrote to memory of 864 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 864 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 864 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 864 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 864 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 864 1516 rundll32.exe rundll32.exe PID 1516 wrote to memory of 864 1516 rundll32.exe rundll32.exe PID 864 wrote to memory of 1732 864 rundll32.exe mssecsvc.exe PID 864 wrote to memory of 1732 864 rundll32.exe mssecsvc.exe PID 864 wrote to memory of 1732 864 rundll32.exe mssecsvc.exe PID 864 wrote to memory of 1732 864 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\314a2f9b8b7b9caf6b83142e4954de026aeacec7a78467e121d289c5389fee0b.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD55013eb6be94875fd22a074d43510ba82
SHA1d407ac35c1c5214dc88678e296f0c694b18dfe44
SHA256dec59866237b33c7ea5c17650039e46a93154d9317ba7c2595aab91fd669d599
SHA5122b5b9687d336fe2c1f8a2dbf05efb0cd82f7592f2b35755166d8a6fc18c67d53562bb3076e1e738a7dd2cb1e86514ac520a576b3dc69ee1040e83a51d4129a72
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55013eb6be94875fd22a074d43510ba82
SHA1d407ac35c1c5214dc88678e296f0c694b18dfe44
SHA256dec59866237b33c7ea5c17650039e46a93154d9317ba7c2595aab91fd669d599
SHA5122b5b9687d336fe2c1f8a2dbf05efb0cd82f7592f2b35755166d8a6fc18c67d53562bb3076e1e738a7dd2cb1e86514ac520a576b3dc69ee1040e83a51d4129a72
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55013eb6be94875fd22a074d43510ba82
SHA1d407ac35c1c5214dc88678e296f0c694b18dfe44
SHA256dec59866237b33c7ea5c17650039e46a93154d9317ba7c2595aab91fd669d599
SHA5122b5b9687d336fe2c1f8a2dbf05efb0cd82f7592f2b35755166d8a6fc18c67d53562bb3076e1e738a7dd2cb1e86514ac520a576b3dc69ee1040e83a51d4129a72
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD52341baf2d382f79649dc02af908acb2f
SHA173fdc67cd89ffe287ff611360962d3d0999d606a
SHA2567876ffa07f870db351c73b17a1c22860ddd483475b6275d8bbb088a96c9941d6
SHA512daecadbb9ac860a88a13af699f6369e036019560d290e986b1c9905e6bc2c8877d5616b4345cde435c18d27ba52fedffd69bf344cf8bc1bc33b56e133a66e8d6
-
memory/864-54-0x0000000000000000-mapping.dmp
-
memory/864-55-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1732-56-0x0000000000000000-mapping.dmp