Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 01:55
Static task
static1
Behavioral task
behavioral1
Sample
48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll
Resource
win10v2004-20220414-en
General
-
Target
48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll
-
Size
5.0MB
-
MD5
1ced543091b9dc5fd59237f675d6dd90
-
SHA1
d464770ef157cef154d181573c81bd3cba357127
-
SHA256
48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281
-
SHA512
cc279ee918c59f0f12ab51b2a88ac2ee801be6adbacce368bc84b6b6dba781c0c0fa6d389a2cc420503ead178efb1336c2bcb40052049664a1c8486d807029d2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (1300) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 992 mssecsvc.exe 1304 mssecsvc.exe 524 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DFD0C0D-0BD1-4743-97A4-BC640693C51B}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-e9-2f-ee-c6-fb mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-e9-2f-ee-c6-fb\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-e9-2f-ee-c6-fb\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DFD0C0D-0BD1-4743-97A4-BC640693C51B}\8a-e9-2f-ee-c6-fb mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DFD0C0D-0BD1-4743-97A4-BC640693C51B}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DFD0C0D-0BD1-4743-97A4-BC640693C51B}\WpadDecisionTime = f00e69de2997d801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DFD0C0D-0BD1-4743-97A4-BC640693C51B} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DFD0C0D-0BD1-4743-97A4-BC640693C51B}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-e9-2f-ee-c6-fb\WpadDecisionTime = f00e69de2997d801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1280 wrote to memory of 1312 1280 rundll32.exe rundll32.exe PID 1280 wrote to memory of 1312 1280 rundll32.exe rundll32.exe PID 1280 wrote to memory of 1312 1280 rundll32.exe rundll32.exe PID 1280 wrote to memory of 1312 1280 rundll32.exe rundll32.exe PID 1280 wrote to memory of 1312 1280 rundll32.exe rundll32.exe PID 1280 wrote to memory of 1312 1280 rundll32.exe rundll32.exe PID 1280 wrote to memory of 1312 1280 rundll32.exe rundll32.exe PID 1312 wrote to memory of 992 1312 rundll32.exe mssecsvc.exe PID 1312 wrote to memory of 992 1312 rundll32.exe mssecsvc.exe PID 1312 wrote to memory of 992 1312 rundll32.exe mssecsvc.exe PID 1312 wrote to memory of 992 1312 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\48c6ca7644be11df7661994f1fb90dbe0a5f537a4d425edcc5dc12fdd956d281.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD536e81fd6c5ea829ac56dd19c68b7ca0c
SHA194ec59960e278c1c34826a73a2244277721be3d3
SHA2569cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0
SHA512b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD536e81fd6c5ea829ac56dd19c68b7ca0c
SHA194ec59960e278c1c34826a73a2244277721be3d3
SHA2569cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0
SHA512b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD536e81fd6c5ea829ac56dd19c68b7ca0c
SHA194ec59960e278c1c34826a73a2244277721be3d3
SHA2569cc92eb0da2056e09e126d3358a0264f6bb0d6f848961b59f468e0a74bab12c0
SHA512b41bca7ea3dd971dfb32c930e303ac3d7da6ee9e6315a0a6ba7ef8e6d9fa6523a5d9c0bb4da68d51dfdcbfe5d6e7f38b468da72b4aaebcd5376a1e5852152c82
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b0e9218be520b2f8391ab5c575bf98d0
SHA15909e58b6768cc219990f0ebe10782606656fb5f
SHA2560fb71a0d4f29cdaff0192e3c4c2cc5df9f0af23b205f3c911a482a06d8de3c68
SHA5124b5da5cc9f1162c373aad51473e20f062eabfc67077ed83ce02f65556932547c7a2614704b0c1069cd770831f746e5c8249ab52a8ef98bf722f18cd5313e8012
-
memory/992-56-0x0000000000000000-mapping.dmp
-
memory/1312-54-0x0000000000000000-mapping.dmp
-
memory/1312-55-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB