Overview

overview

10

Static

static

mssecsvc.exe

windows7-x64

10

Resubmissions

19-07-2022 13:15

220719-qhn2eaccf5 10

19-07-2022 09:44

220719-lq1b7acacp 10

Analysis

  • max time kernel
    95s
  • max time network
    98s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2022 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mssecsvc.exe

  • Size

    3.6MB

  • MD5

    c39c3a9fd55d3eb1445ff15ff38c586d

  • SHA1

    85d7541b20a85e68718ec9be6da09834147ee7d6

  • SHA256

    5bbc4474a20ba7b969c2aa8677e2833c0a7c306f70f55853d00e3df54c0ae0da

  • SHA512

    ba63768d70eca619a1aa207c34a58cfa9658dcb066679be27fbb0221a243baae9171769d0fadf8d7c1557621e8fff5b2d7149af4cf531dc8612a24b19135766a

Score
10/10
wannacrydiscoveryransomwaresuricataworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata
  • suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata
  • Contacts a large (653) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe
    "C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe"
    1⤵
    • Drops file in Windows directory
    PID:960
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:1936
  • C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe
    C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe -m security
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1568
  • C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      2⤵
      • Gathers network information
      • Suspicious use of AdjustPrivilegeToken
      PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1
T1046

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    963295708daccdbc1c2836cace02ec3e

    SHA1

    86fa4ed6cbbedfd2bd16b804cb8a9a9802d91390

    SHA256

    d8bb45f7d9db0f7bb3f051f303927f31122906c5610ccc65cf827b30566416e5

    SHA512

    9af2b1d57b931bb68a114c28d8ea3af9dd9b2aa98895f7e785c09cc1edd2676558d229a481dbe34c647fc5178145942b600dc5cf68442280fa56af0154eb498b

    Download Submit
  • memory/960-54-0x0000000076091000-0x0000000076093000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-57-0x0000000000000000-mapping.dmp
    Download