Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 23:43
Static task
static1
Behavioral task
behavioral1
Sample
5e9c5a51094fa1c3d88fd30cd5c4934c.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5e9c5a51094fa1c3d88fd30cd5c4934c.dll
Resource
win10v2004-20220718-en
General
-
Target
5e9c5a51094fa1c3d88fd30cd5c4934c.dll
-
Size
5.0MB
-
MD5
5e9c5a51094fa1c3d88fd30cd5c4934c
-
SHA1
c89cf3fa904e833856d809a7117e3a33b34c90f6
-
SHA256
190dc8bbf160ad52059047cdcac0eda73e6a9d8119d6b42d57cf33a35df83fec
-
SHA512
5417ded155fb88be401ee13addbf8f0f28915deaab9e76850db6b42a5e56e174c0efe994138f2389c11c3908877cc06034b581a7a33a54e8250b687f7a384a76
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1968 mssecsvc.exe 1612 mssecsvc.exe 1704 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-35-a4-69-4c-20\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fe000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-35-a4-69-4c-20 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-35-a4-69-4c-20\WpadDecisionTime = c0198552c99bd801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\a2-35-a4-69-4c-20 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C321097C-58FA-4DD6-B563-F9FA36548596}\WpadDecisionTime = c0198552c99bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-35-a4-69-4c-20\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1968 1148 rundll32.exe mssecsvc.exe PID 1148 wrote to memory of 1968 1148 rundll32.exe mssecsvc.exe PID 1148 wrote to memory of 1968 1148 rundll32.exe mssecsvc.exe PID 1148 wrote to memory of 1968 1148 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e9c5a51094fa1c3d88fd30cd5c4934c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e9c5a51094fa1c3d88fd30cd5c4934c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1704
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1612
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e6a5f18d9fb21a5f0272657404773dd7
SHA13d5cae9c2f57b32788d8e046857bf19933622b2c
SHA256df06a81ec30ecafa9cda12fd568134dbda4d28902d4278164d3d60dbd1281cdc
SHA5124710d55a450da50b2e2138494b6e8161c263c3047f3477f18add5ca8e72c5637d17e268c326d1eec49ba0ca281ed1adda4739a997958dacf64bdbb0b0015355f
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e6a5f18d9fb21a5f0272657404773dd7
SHA13d5cae9c2f57b32788d8e046857bf19933622b2c
SHA256df06a81ec30ecafa9cda12fd568134dbda4d28902d4278164d3d60dbd1281cdc
SHA5124710d55a450da50b2e2138494b6e8161c263c3047f3477f18add5ca8e72c5637d17e268c326d1eec49ba0ca281ed1adda4739a997958dacf64bdbb0b0015355f
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e6a5f18d9fb21a5f0272657404773dd7
SHA13d5cae9c2f57b32788d8e046857bf19933622b2c
SHA256df06a81ec30ecafa9cda12fd568134dbda4d28902d4278164d3d60dbd1281cdc
SHA5124710d55a450da50b2e2138494b6e8161c263c3047f3477f18add5ca8e72c5637d17e268c326d1eec49ba0ca281ed1adda4739a997958dacf64bdbb0b0015355f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e53eca70af35bcd7f7afd4dcc3f49dae
SHA1bdf8f0c559ba71c0e66c06164768573c33d0e774
SHA256b18fb7c3a78546b005e0d6efe496168181c4d9ba8a03d75508f94990d021f016
SHA512e6e113fc4d454f2756d3611db8c32f1f7491414a42341bfddc709b634180adf903125f14f1e31300afa552afba17edef8e323643c47579eabef1aae7aae2ade8
-
memory/1148-54-0x0000000000000000-mapping.dmp
-
memory/1148-55-0x00000000765D1000-0x00000000765D3000-memory.dmpFilesize
8KB
-
memory/1968-56-0x0000000000000000-mapping.dmp