Analysis
-
max time kernel
67s -
max time network
71s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 23:08
Static task
static1
Behavioral task
behavioral1
Sample
35c50669ff577d92f0ffe5f21a394aa1da8e929f12b92594f1f503f9ea263e3e.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
35c50669ff577d92f0ffe5f21a394aa1da8e929f12b92594f1f503f9ea263e3e.dll
Resource
win10v2004-20220414-en
General
-
Target
35c50669ff577d92f0ffe5f21a394aa1da8e929f12b92594f1f503f9ea263e3e.dll
-
Size
5.0MB
-
MD5
856e92809fcf1535c03dac80c00a0122
-
SHA1
a27d855df5fb05888023ad4dc23212878b4bfdf6
-
SHA256
35c50669ff577d92f0ffe5f21a394aa1da8e929f12b92594f1f503f9ea263e3e
-
SHA512
88b17f5c28ba5a1784cb609f002fba8f94932c47d4957917db225afef59db1313f14d63e5e16c5e0b807786d89af7f17be00d1dd94f2dea48e5585b663e4ce5f
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 904 mssecsvc.exe 1936 mssecsvc.exe 872 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadNetworkName = "Network 2" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecisionTime = 4017159ec389d801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\WpadDecisionTime = 4017159ec389d801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0099000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{783CE2C9-3184-4CE6-B262-F9EA483ADFB1}\22-c1-b6-ea-72-f2 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-c1-b6-ea-72-f2\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1224 wrote to memory of 1348 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 1348 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 1348 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 1348 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 1348 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 1348 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 1348 1224 rundll32.exe rundll32.exe PID 1348 wrote to memory of 904 1348 rundll32.exe mssecsvc.exe PID 1348 wrote to memory of 904 1348 rundll32.exe mssecsvc.exe PID 1348 wrote to memory of 904 1348 rundll32.exe mssecsvc.exe PID 1348 wrote to memory of 904 1348 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\35c50669ff577d92f0ffe5f21a394aa1da8e929f12b92594f1f503f9ea263e3e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\35c50669ff577d92f0ffe5f21a394aa1da8e929f12b92594f1f503f9ea263e3e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:904 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:872
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1936
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5672fc3725d55f9d191584b98027dee35
SHA19b57fd801557f95c332984d38bdaa2bbde6992ac
SHA256c4a38919712d2e69f041521eb5c486b05477aa9968abbe85e4dac47312ccf62a
SHA512764ceccd4d235990582b7ba458f0deef8c92d62eb41c3c37dc8dd4f881fbaef1dd2336dfab71aeca37022329167f9b85f264e008e4a453092e2326d47ea0bb81
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5672fc3725d55f9d191584b98027dee35
SHA19b57fd801557f95c332984d38bdaa2bbde6992ac
SHA256c4a38919712d2e69f041521eb5c486b05477aa9968abbe85e4dac47312ccf62a
SHA512764ceccd4d235990582b7ba458f0deef8c92d62eb41c3c37dc8dd4f881fbaef1dd2336dfab71aeca37022329167f9b85f264e008e4a453092e2326d47ea0bb81
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53045fdbfd3f2cbaf2def7fe118b01a95
SHA185e3542812ad1b40845b941e00b4b77f2434153c
SHA2563e8e919f78df0489f288f7e15b077e008e0cc6f808619611b90b7d6e1788e1d9
SHA512dba0203e4f9e8e9d4f1bf154aa8a891f503292a39b193d497759d94de0ad3a2166b850b65c76eaf0d3bc4342a57e691678cce60b42d3353f951449c4ff5cc58d
-
memory/904-56-0x0000000000000000-mapping.dmp
-
memory/1348-54-0x0000000000000000-mapping.dmp
-
memory/1348-55-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB