Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 00:43
Static task
static1
Behavioral task
behavioral1
Sample
42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll
Resource
win10v2004-20220414-en
General
-
Target
42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll
-
Size
5.0MB
-
MD5
3ce4cffc202ddafe9e2b2c8f570f4e16
-
SHA1
f331a320d11d62823847ed76228e2e706df6aa2c
-
SHA256
42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c
-
SHA512
24484046e1075e475d58aff29dbe62471bd62925d91209a961fee74007a869c4e5bd4484d38984f65bcff3b7a65adccb711a206a3b25ccd45b894c3065cb4e95
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (1118) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1976 mssecsvc.exe 896 mssecsvc.exe 624 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29D83540-31DD-42C8-85D6-D33829E83E0C}\WpadDecisionTime = 60d447cd8592d801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-94-d9-59-16-48 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29D83540-31DD-42C8-85D6-D33829E83E0C}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29D83540-31DD-42C8-85D6-D33829E83E0C}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29D83540-31DD-42C8-85D6-D33829E83E0C}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29D83540-31DD-42C8-85D6-D33829E83E0C}\d2-94-d9-59-16-48 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-94-d9-59-16-48\WpadDecisionTime = 60d447cd8592d801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-94-d9-59-16-48\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d2-94-d9-59-16-48\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29D83540-31DD-42C8-85D6-D33829E83E0C} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1944 wrote to memory of 1972 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1972 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1972 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1972 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1972 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1972 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1972 1944 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1976 1972 rundll32.exe mssecsvc.exe PID 1972 wrote to memory of 1976 1972 rundll32.exe mssecsvc.exe PID 1972 wrote to memory of 1976 1972 rundll32.exe mssecsvc.exe PID 1972 wrote to memory of 1976 1972 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42e4a37e63221e523a92700253c928d9f14022bc4078a88182e0f5a3021b3f3c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD531def06abbda1f1bb66478c529472968
SHA1415434f6d7cf11afa36380a7c4b9d810b8106ed7
SHA25661ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515
SHA512217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD531def06abbda1f1bb66478c529472968
SHA1415434f6d7cf11afa36380a7c4b9d810b8106ed7
SHA25661ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515
SHA512217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD531def06abbda1f1bb66478c529472968
SHA1415434f6d7cf11afa36380a7c4b9d810b8106ed7
SHA25661ab25674aa2529ff9e581e829537544aeb00004c1a861f30e91d335030e8515
SHA512217f571187700877ea6ed1a88f7bbd27ebff586f9d0dbaeefd65f48bf42733264305ecbd4992f3bcbfe96679bb772e7996e42d9aceafb1c809645873afc48c40
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f2fc595e0263ee99769ec3805bb7768e
SHA121c3b65c906ff24a4759271537b8da01516d841d
SHA25685117a97158c171ef7de01771ffdc172df4c09689fa1d579513d27a4a861351f
SHA512512a12f68ae5c7e61961c38d6cfb33e2e796ef0afe29170c67764830d7200ae5fb675d83df96dfde1a28994331d81cb7b4b56f8f58fc923c0fc73168a03cf99c
-
memory/1972-54-0x0000000000000000-mapping.dmp
-
memory/1972-55-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1976-56-0x0000000000000000-mapping.dmp