Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 23:44
Static task
static1
Behavioral task
behavioral1
Sample
cd59384c604a5f9e447adc1e97e95291.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
cd59384c604a5f9e447adc1e97e95291.dll
Resource
win10v2004-20220718-en
General
-
Target
cd59384c604a5f9e447adc1e97e95291.dll
-
Size
5.0MB
-
MD5
cd59384c604a5f9e447adc1e97e95291
-
SHA1
098bfc9ba19f826f33c16697a0af3a8d805e922a
-
SHA256
7d0e5ba752f278eade0152fc94f590d565f3f96737620f4084534de58d4f8187
-
SHA512
72fa297ac5b4616edf42349c564cff26cac5efddfdd0a9daa96c2aa70779247e43cccee1797d7856d09a4a8c356868587bc7496fa854d8bb615b2d4ecab4f342
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1254) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1928 mssecsvc.exe 1208 mssecsvc.exe 1920 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecisionTime = 202af939da9bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\4a-be-6e-b9-73-90 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecisionTime = 202af939da9bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-be-6e-b9-73-90\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDD376C1-A934-4862-A477-420673A0EB55}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 892 wrote to memory of 880 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 880 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 880 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 880 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 880 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 880 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 880 892 rundll32.exe rundll32.exe PID 880 wrote to memory of 1928 880 rundll32.exe mssecsvc.exe PID 880 wrote to memory of 1928 880 rundll32.exe mssecsvc.exe PID 880 wrote to memory of 1928 880 rundll32.exe mssecsvc.exe PID 880 wrote to memory of 1928 880 rundll32.exe mssecsvc.exe PID 1928 wrote to memory of 1920 1928 mssecsvc.exe tasksche.exe PID 1928 wrote to memory of 1920 1928 mssecsvc.exe tasksche.exe PID 1928 wrote to memory of 1920 1928 mssecsvc.exe tasksche.exe PID 1928 wrote to memory of 1920 1928 mssecsvc.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd59384c604a5f9e447adc1e97e95291.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cd59384c604a5f9e447adc1e97e95291.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:880 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1920
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5747ff3b923618f9c579309bc33fe9f64
SHA18a44b79f0042393ffc568ba16968e02f8b20d5cd
SHA2564651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679
SHA5125a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5747ff3b923618f9c579309bc33fe9f64
SHA18a44b79f0042393ffc568ba16968e02f8b20d5cd
SHA2564651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679
SHA5125a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5747ff3b923618f9c579309bc33fe9f64
SHA18a44b79f0042393ffc568ba16968e02f8b20d5cd
SHA2564651c4359c600dc9fbd92e744352a63bbe7e345db8d05857879b925dbb13c679
SHA5125a4495b2b925872c24dd1daeb87b0fabfaf229cc3b4fade9db76ca92c4ca743f6263b6b00e50986add57440b6e05ff5f230fc9c041b86a9353dff715250bc525
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c8e7ed224160ab24e4232f5e6fd8bc08
SHA18bcbe1b427c7c65810d25d5e1bd6788073ab037d
SHA2567176e96fab482a3569ae24b2dbdb81720cfc354199923294aafca76d7be28c8b
SHA512dd063fc9a0ba9b0743eea55f6f040ed350598e0adb3545054727b52ddac6aef02f6dd5fbc395520a0d21da18b85a6b69d353bcb1fe3413f1f67ec18e26d89cb8
-
memory/880-54-0x0000000000000000-mapping.dmp
-
memory/880-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1920-62-0x0000000000000000-mapping.dmp
-
memory/1928-56-0x0000000000000000-mapping.dmp