Analysis
-
max time kernel
42s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
18-07-2022 14:53
Behavioral task
behavioral1
Sample
5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll
Resource
win10v2004-20220414-en
General
-
Target
5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll
-
Size
5.0MB
-
MD5
38c817799dc0b801b8051000baac445a
-
SHA1
6b7b2c1659ae194b6f7a5d94e40e94cacdc1bccc
-
SHA256
5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f
-
SHA512
281797346098fb0b15265e28b4fa6bd98304611878ef7b902fa0170fec8c4437f43d8d285578538e09b41973f90c522c801bb91e2b41401e68a96839d3495006
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Header
suricata: ET MALWARE Known Sinkhole Response Header
-
suricata: ET MALWARE Possible WannaCry DNS Lookup 2
suricata: ET MALWARE Possible WannaCry DNS Lookup 2
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1392 mssecsvc.exe 564 mssecsvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 13 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1392 mssecsvc.exe 564 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 46 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 1392 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe 564 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 1392 mssecsvc.exe Token: SeDebugPrivilege 564 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 1624 wrote to memory of 1776 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1776 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1776 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1776 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1776 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1776 1624 rundll32.exe rundll32.exe PID 1624 wrote to memory of 1776 1624 rundll32.exe rundll32.exe PID 1776 wrote to memory of 1392 1776 rundll32.exe mssecsvc.exe PID 1776 wrote to memory of 1392 1776 rundll32.exe mssecsvc.exe PID 1776 wrote to memory of 1392 1776 rundll32.exe mssecsvc.exe PID 1776 wrote to memory of 1392 1776 rundll32.exe mssecsvc.exe PID 1392 wrote to memory of 368 1392 mssecsvc.exe wininit.exe PID 1392 wrote to memory of 368 1392 mssecsvc.exe wininit.exe PID 1392 wrote to memory of 368 1392 mssecsvc.exe wininit.exe PID 1392 wrote to memory of 368 1392 mssecsvc.exe wininit.exe PID 1392 wrote to memory of 368 1392 mssecsvc.exe wininit.exe PID 1392 wrote to memory of 368 1392 mssecsvc.exe wininit.exe PID 1392 wrote to memory of 368 1392 mssecsvc.exe wininit.exe PID 1392 wrote to memory of 380 1392 mssecsvc.exe csrss.exe PID 1392 wrote to memory of 380 1392 mssecsvc.exe csrss.exe PID 1392 wrote to memory of 380 1392 mssecsvc.exe csrss.exe PID 1392 wrote to memory of 380 1392 mssecsvc.exe csrss.exe PID 1392 wrote to memory of 380 1392 mssecsvc.exe csrss.exe PID 1392 wrote to memory of 380 1392 mssecsvc.exe csrss.exe PID 1392 wrote to memory of 380 1392 mssecsvc.exe csrss.exe PID 1392 wrote to memory of 416 1392 mssecsvc.exe winlogon.exe PID 1392 wrote to memory of 416 1392 mssecsvc.exe winlogon.exe PID 1392 wrote to memory of 416 1392 mssecsvc.exe winlogon.exe PID 1392 wrote to memory of 416 1392 mssecsvc.exe winlogon.exe PID 1392 wrote to memory of 416 1392 mssecsvc.exe winlogon.exe PID 1392 wrote to memory of 416 1392 mssecsvc.exe winlogon.exe PID 1392 wrote to memory of 416 1392 mssecsvc.exe winlogon.exe PID 1392 wrote to memory of 464 1392 mssecsvc.exe services.exe PID 1392 wrote to memory of 464 1392 mssecsvc.exe services.exe PID 1392 wrote to memory of 464 1392 mssecsvc.exe services.exe PID 1392 wrote to memory of 464 1392 mssecsvc.exe services.exe PID 1392 wrote to memory of 464 1392 mssecsvc.exe services.exe PID 1392 wrote to memory of 464 1392 mssecsvc.exe services.exe PID 1392 wrote to memory of 464 1392 mssecsvc.exe services.exe PID 1392 wrote to memory of 472 1392 mssecsvc.exe lsass.exe PID 1392 wrote to memory of 472 1392 mssecsvc.exe lsass.exe PID 1392 wrote to memory of 472 1392 mssecsvc.exe lsass.exe PID 1392 wrote to memory of 472 1392 mssecsvc.exe lsass.exe PID 1392 wrote to memory of 472 1392 mssecsvc.exe lsass.exe PID 1392 wrote to memory of 472 1392 mssecsvc.exe lsass.exe PID 1392 wrote to memory of 472 1392 mssecsvc.exe lsass.exe PID 1392 wrote to memory of 480 1392 mssecsvc.exe lsm.exe PID 1392 wrote to memory of 480 1392 mssecsvc.exe lsm.exe PID 1392 wrote to memory of 480 1392 mssecsvc.exe lsm.exe PID 1392 wrote to memory of 480 1392 mssecsvc.exe lsm.exe PID 1392 wrote to memory of 480 1392 mssecsvc.exe lsm.exe PID 1392 wrote to memory of 480 1392 mssecsvc.exe lsm.exe PID 1392 wrote to memory of 480 1392 mssecsvc.exe lsm.exe PID 1392 wrote to memory of 580 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 580 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 580 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 580 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 580 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 580 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 580 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 656 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 656 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 656 1392 mssecsvc.exe svchost.exe PID 1392 wrote to memory of 656 1392 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}3⤵
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
-
C:\Windows\system32\wininit.exewininit.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5180621dabfbf51a1764886b08bf8b954f27e326ed6167fbdbd8a6f6313c534f.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.8MB
MD5b544af75785b0448fb13b674c7a51d92
SHA17b88ce7386c7027d00e61ff512886cc11118ab7d
SHA25657288b609475cb3f1521725178e405024844a1710f9aecef14d815b77bb86d0f
SHA512e11a6b44b21ad7360655f074a02abffb406bdd2f55c11b9bfbf57b29ec8a6281ea640cd84963d7abe8a1a0310eebc349d804cee241014ad055ea7fa617236b21
-
C:\Windows\mssecsvc.exeFilesize
3.8MB
MD5b544af75785b0448fb13b674c7a51d92
SHA17b88ce7386c7027d00e61ff512886cc11118ab7d
SHA25657288b609475cb3f1521725178e405024844a1710f9aecef14d815b77bb86d0f
SHA512e11a6b44b21ad7360655f074a02abffb406bdd2f55c11b9bfbf57b29ec8a6281ea640cd84963d7abe8a1a0310eebc349d804cee241014ad055ea7fa617236b21
-
memory/564-62-0x0000000000400000-0x0000000000AB2000-memory.dmpFilesize
6.7MB
-
memory/1392-56-0x0000000000000000-mapping.dmp
-
memory/1392-59-0x0000000000400000-0x0000000000AB2000-memory.dmpFilesize
6.7MB
-
memory/1392-63-0x0000000000400000-0x0000000000AB2000-memory.dmpFilesize
6.7MB
-
memory/1392-64-0x000000007EF70000-0x000000007EF7C000-memory.dmpFilesize
48KB
-
memory/1776-54-0x0000000000000000-mapping.dmp
-
memory/1776-55-0x0000000075B61000-0x0000000075B63000-memory.dmpFilesize
8KB