Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 07:53
Static task
static1
Behavioral task
behavioral1
Sample
46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll
Resource
win10v2004-20220414-en
General
-
Target
46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll
-
Size
5.0MB
-
MD5
621bfac4cd27269134254c88cf1c7013
-
SHA1
4aba70305bf2f5cfefc9de70fff6ea98b25b1b29
-
SHA256
46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df
-
SHA512
c7cafd9a7bf33ce974590134d3bdb2a67cad7bfc864307495e87606e7fd08f3abe2019c0e65ddcdf45f65ce46971dfb0c9ac696c09fa3f344c7900ef6fdb2002
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (1237) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1828 mssecsvc.exe 1276 mssecsvc.exe 1564 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-48-2f-17-bd-94\WpadDecisionTime = d06d97a4e791d801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7B1C7B4-FD7E-4C3A-9A72-E421FB7FE318}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7B1C7B4-FD7E-4C3A-9A72-E421FB7FE318}\WpadDecisionTime = d06d97a4e791d801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7B1C7B4-FD7E-4C3A-9A72-E421FB7FE318}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7B1C7B4-FD7E-4C3A-9A72-E421FB7FE318}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-48-2f-17-bd-94 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7B1C7B4-FD7E-4C3A-9A72-E421FB7FE318}\46-48-2f-17-bd-94 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-48-2f-17-bd-94\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7B1C7B4-FD7E-4C3A-9A72-E421FB7FE318} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-48-2f-17-bd-94\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 328 wrote to memory of 324 328 rundll32.exe rundll32.exe PID 328 wrote to memory of 324 328 rundll32.exe rundll32.exe PID 328 wrote to memory of 324 328 rundll32.exe rundll32.exe PID 328 wrote to memory of 324 328 rundll32.exe rundll32.exe PID 328 wrote to memory of 324 328 rundll32.exe rundll32.exe PID 328 wrote to memory of 324 328 rundll32.exe rundll32.exe PID 328 wrote to memory of 324 328 rundll32.exe rundll32.exe PID 324 wrote to memory of 1828 324 rundll32.exe mssecsvc.exe PID 324 wrote to memory of 1828 324 rundll32.exe mssecsvc.exe PID 324 wrote to memory of 1828 324 rundll32.exe mssecsvc.exe PID 324 wrote to memory of 1828 324 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\46bb61b2ce95915c363845b5e3e9d76fc320e3dff3e05c60b581917678a3f4df.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD512a2af8a31c89aa0db17e737acd67e91
SHA16f8078f618e8e240188d04453613eefef10a2416
SHA2564abed8f38696446653350b0231f135be6c6acd6e57d6e9b15975f79ce1b79dcf
SHA512857a07b14ce0163e3b74fca885e8524742f753abb4bd249f1998db2ef72fe1bba9231051d87449e90d7cad02db0b6f9cb3a2083c3f66396af76fdff13e8f4db2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD512a2af8a31c89aa0db17e737acd67e91
SHA16f8078f618e8e240188d04453613eefef10a2416
SHA2564abed8f38696446653350b0231f135be6c6acd6e57d6e9b15975f79ce1b79dcf
SHA512857a07b14ce0163e3b74fca885e8524742f753abb4bd249f1998db2ef72fe1bba9231051d87449e90d7cad02db0b6f9cb3a2083c3f66396af76fdff13e8f4db2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD512a2af8a31c89aa0db17e737acd67e91
SHA16f8078f618e8e240188d04453613eefef10a2416
SHA2564abed8f38696446653350b0231f135be6c6acd6e57d6e9b15975f79ce1b79dcf
SHA512857a07b14ce0163e3b74fca885e8524742f753abb4bd249f1998db2ef72fe1bba9231051d87449e90d7cad02db0b6f9cb3a2083c3f66396af76fdff13e8f4db2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50cd18d69348c5b9996ee1305ebe9b733
SHA188d9ecccb28fa270e8fa066ff3a78350a5c795ce
SHA25680432c03277cb1a56b9855adf12de0b13ff5a08bce5e316fd0d38f93a1c23019
SHA51287119a6ad0a268ee038060753670e6789fb36418b3a57c6328a397f81002b992bc9be6d0befeedfb7dda1d639780f181c0eae33666f3b2ef539915a8090a1d02
-
memory/324-54-0x0000000000000000-mapping.dmp
-
memory/324-55-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1828-56-0x0000000000000000-mapping.dmp