Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 18:40
Static task
static1
Behavioral task
behavioral1
Sample
79f1d601ece826493e4e2b409980f6ac.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
79f1d601ece826493e4e2b409980f6ac.dll
Resource
win10v2004-20220414-en
General
-
Target
79f1d601ece826493e4e2b409980f6ac.dll
-
Size
5.0MB
-
MD5
79f1d601ece826493e4e2b409980f6ac
-
SHA1
5132e83d8bb0b0998918dad8f48c45d37b001877
-
SHA256
268c5e3f3050d96c2fc80f38e7a81846bd799ba949d69f35bd2151e509189505
-
SHA512
fb55c19f5b4afe04781dfcdf95ec17373be5040e1cdb1b8d9f63214ebb5ecacbfbf403cf15ec2b509fa5086de5d4ff8ab1b84c2fd9f2c4bccadca8fb3096d3af
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1198) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1364 mssecsvc.exe 2008 mssecsvc.exe 1188 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\WpadDecisionTime = e0fa30c4af9bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\06-75-a7-dd-b9-dc mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-75-a7-dd-b9-dc\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-75-a7-dd-b9-dc\WpadDecisionTime = e0fa30c4af9bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E9134DB-3C23-4031-8933-B00BB05E13E0}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-75-a7-dd-b9-dc\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-75-a7-dd-b9-dc mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1800 wrote to memory of 1224 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 1224 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 1224 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 1224 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 1224 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 1224 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 1224 1800 rundll32.exe rundll32.exe PID 1224 wrote to memory of 1364 1224 rundll32.exe mssecsvc.exe PID 1224 wrote to memory of 1364 1224 rundll32.exe mssecsvc.exe PID 1224 wrote to memory of 1364 1224 rundll32.exe mssecsvc.exe PID 1224 wrote to memory of 1364 1224 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\79f1d601ece826493e4e2b409980f6ac.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\79f1d601ece826493e4e2b409980f6ac.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e362cb734da0b90095581f7a9f546056
SHA16413c71f105ceeb525a21b3ad4216181bb52907d
SHA256ac4079ec566390347dfda8a14a0c7424a732538d4561efeff05a9af2181e920a
SHA5126d0b3b33b33a95a85e80bcb6275e38fce58ecf69c1c6d694dd3be4eef806f15da9d462bd173f58c13623a776ffbac79a80cbb16f913a09e49899fbcb332e7488
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e362cb734da0b90095581f7a9f546056
SHA16413c71f105ceeb525a21b3ad4216181bb52907d
SHA256ac4079ec566390347dfda8a14a0c7424a732538d4561efeff05a9af2181e920a
SHA5126d0b3b33b33a95a85e80bcb6275e38fce58ecf69c1c6d694dd3be4eef806f15da9d462bd173f58c13623a776ffbac79a80cbb16f913a09e49899fbcb332e7488
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e362cb734da0b90095581f7a9f546056
SHA16413c71f105ceeb525a21b3ad4216181bb52907d
SHA256ac4079ec566390347dfda8a14a0c7424a732538d4561efeff05a9af2181e920a
SHA5126d0b3b33b33a95a85e80bcb6275e38fce58ecf69c1c6d694dd3be4eef806f15da9d462bd173f58c13623a776ffbac79a80cbb16f913a09e49899fbcb332e7488
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56a69a62b5dffae6c9bdb581a9d2db76e
SHA1540ef36e63190662eeffd2f04286aa3c4b02922d
SHA2561ab54ced90bdb51ae642bbf882c92fae6a761119d40771acdfa01c644cb2722d
SHA5126638db680427c47abffca484aff19516716f5e3ac59eb6b562d086987b51bf7c053daa22c87b40187a0a98323b917cd7abb882279e37f7e47d9a427632f4d49c
-
memory/1224-54-0x0000000000000000-mapping.dmp
-
memory/1224-55-0x0000000076291000-0x0000000076293000-memory.dmpFilesize
8KB
-
memory/1364-56-0x0000000000000000-mapping.dmp