Analysis
-
max time kernel
153s -
max time network
206s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
01-07-2022 05:48
Static task
static1
Behavioral task
behavioral1
Sample
74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll
Resource
win10v2004-20220414-en
General
-
Target
74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll
-
Size
5.0MB
-
MD5
da480470e229f27bb2632ade91b37300
-
SHA1
7da6b9048707adf18c997bcaec32d6bebc5580fb
-
SHA256
74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707
-
SHA512
a39fba8d3b45345ed54dda14acecdbe815af7261eeabb7bd53ec321d31c0d1ad7a2d0e6e67c7596fbad9bc921c65f2635ec1dfb00805768124a2b17dd7c22d2d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (830) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1408 mssecsvc.exe 1400 mssecsvc.exe 992 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CCF2B33-683E-4220-94AC-20FAC7255C74} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CCF2B33-683E-4220-94AC-20FAC7255C74}\WpadDecisionTime = c0437ce1278dd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CCF2B33-683E-4220-94AC-20FAC7255C74}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CCF2B33-683E-4220-94AC-20FAC7255C74}\WpadNetworkName = "Network 2" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CCF2B33-683E-4220-94AC-20FAC7255C74}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-e1-a2-8e-f2-24 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-e1-a2-8e-f2-24\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-e1-a2-8e-f2-24\WpadDecisionTime = c0437ce1278dd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-e1-a2-8e-f2-24\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8CCF2B33-683E-4220-94AC-20FAC7255C74}\fe-e1-a2-8e-f2-24 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2024 wrote to memory of 1380 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1380 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1380 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1380 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1380 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1380 2024 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1380 2024 rundll32.exe rundll32.exe PID 1380 wrote to memory of 1408 1380 rundll32.exe mssecsvc.exe PID 1380 wrote to memory of 1408 1380 rundll32.exe mssecsvc.exe PID 1380 wrote to memory of 1408 1380 rundll32.exe mssecsvc.exe PID 1380 wrote to memory of 1408 1380 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74c9c570b7b1b383e0f5a266f0f7e17c1336f99e2df28e8be76f7d358c34d707.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5883c9282416c4b2cf418fbde83502b52
SHA13eefd8dc469a01c992241bd879202a7e9841b598
SHA256fe2c8534a46d7fc3177c87912e725f05e09dc7739933c412d80bdde1f74dcdda
SHA512081abae1ddea49b8aaac6f3b79387b297828a9c7d111672a96d840e2dd80f35d3d2625e0a8cdea25118befcc1d2e11638a509620f3cb1b4782ce8593a0c58983
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5883c9282416c4b2cf418fbde83502b52
SHA13eefd8dc469a01c992241bd879202a7e9841b598
SHA256fe2c8534a46d7fc3177c87912e725f05e09dc7739933c412d80bdde1f74dcdda
SHA512081abae1ddea49b8aaac6f3b79387b297828a9c7d111672a96d840e2dd80f35d3d2625e0a8cdea25118befcc1d2e11638a509620f3cb1b4782ce8593a0c58983
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5883c9282416c4b2cf418fbde83502b52
SHA13eefd8dc469a01c992241bd879202a7e9841b598
SHA256fe2c8534a46d7fc3177c87912e725f05e09dc7739933c412d80bdde1f74dcdda
SHA512081abae1ddea49b8aaac6f3b79387b297828a9c7d111672a96d840e2dd80f35d3d2625e0a8cdea25118befcc1d2e11638a509620f3cb1b4782ce8593a0c58983
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5913198f3e8dd9036ce5001f49b670fab
SHA1f3db77750604a3c586544763630354e71825b736
SHA25684101afa0756983f0274efab7890f377b22356281bdd236a4657844d958effb2
SHA512098818ea840a28f33ff60af0f0fabe907cf5052c935192c7661ffdcbe06c015d6843c55fa9d5b02d7cdde6da447c9ec0018f7339ddaee494298bf61618000352
-
memory/1380-54-0x0000000000000000-mapping.dmp
-
memory/1380-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1408-56-0x0000000000000000-mapping.dmp