Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 04:02
Static task
static1
Behavioral task
behavioral1
Sample
41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll
Resource
win10v2004-20220414-en
General
-
Target
41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll
-
Size
5.0MB
-
MD5
ad46e85c3890145837f40e4f26720a87
-
SHA1
6e349a578fcbd339f54f718caf9371a887c5665f
-
SHA256
41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5
-
SHA512
dc7146efa798f3b3194b30c49bfa82a47f09f4f961afacebdff6065c3fbd89c67f251aabf18da29b718c344a9b02727493353ea8347e0f4dd164315690dbbed4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (1290) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1456 mssecsvc.exe 1200 mssecsvc.exe 268 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D24B047A-635D-4893-8715-6CE1BDA2A16F}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D24B047A-635D-4893-8715-6CE1BDA2A16F}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-39-56-89-e1-f7\WpadDecisionTime = 008dbe77a792d801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-39-56-89-e1-f7\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0086000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D24B047A-635D-4893-8715-6CE1BDA2A16F} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-39-56-89-e1-f7 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D24B047A-635D-4893-8715-6CE1BDA2A16F}\32-39-56-89-e1-f7 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-39-56-89-e1-f7\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D24B047A-635D-4893-8715-6CE1BDA2A16F}\WpadDecisionTime = 008dbe77a792d801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D24B047A-635D-4893-8715-6CE1BDA2A16F}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 632 wrote to memory of 1628 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1628 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1628 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1628 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1628 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1628 632 rundll32.exe rundll32.exe PID 632 wrote to memory of 1628 632 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1456 1628 rundll32.exe mssecsvc.exe PID 1628 wrote to memory of 1456 1628 rundll32.exe mssecsvc.exe PID 1628 wrote to memory of 1456 1628 rundll32.exe mssecsvc.exe PID 1628 wrote to memory of 1456 1628 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5134bf392d1f94f6769ddd428008d9649
SHA1de91f6fffce478eaa2aafccf1781439968965447
SHA256bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b
SHA5127555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5134bf392d1f94f6769ddd428008d9649
SHA1de91f6fffce478eaa2aafccf1781439968965447
SHA256bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b
SHA5127555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5134bf392d1f94f6769ddd428008d9649
SHA1de91f6fffce478eaa2aafccf1781439968965447
SHA256bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b
SHA5127555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5302259d656616b116cf96d64964a471a
SHA1a74de128df0e7e243e9d8b474e155675e13ba4b0
SHA256332b33d2ae5b777ff16b03de5d5b345abb9630fe0a27b85277a79710aa010c0e
SHA51200b0e5a7cf50d6759ecc406d626fa0e0ecb499125afcc2785b91de0b967a19f1ae677587e9106f59f5249acdda2acf87643da6ac45e7a8b0212b28d1edfc47d6
-
memory/1456-56-0x0000000000000000-mapping.dmp
-
memory/1628-54-0x0000000000000000-mapping.dmp
-
memory/1628-55-0x0000000075391000-0x0000000075393000-memory.dmpFilesize
8KB