Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 18:41
Static task
static1
Behavioral task
behavioral1
Sample
53bd36e4beb02198ccdde6c3a75663c2.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
53bd36e4beb02198ccdde6c3a75663c2.dll
Resource
win10v2004-20220718-en
General
-
Target
53bd36e4beb02198ccdde6c3a75663c2.dll
-
Size
5.0MB
-
MD5
53bd36e4beb02198ccdde6c3a75663c2
-
SHA1
c4c139c11405027b5a3f019f073d7b1c4082f905
-
SHA256
0bf994bea8d93e0307e56148b760e31d19afcc444e71ee7062025436aca9f0e9
-
SHA512
c02b67c609bc746311caefbfe4faf2332745bcdf1c0646bcc09d6153c1c01775e546a9a0b77e9cacb5dc39aaad505936bef9ad8a66bec7e22a6c92780f09b225
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1214) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 1128 mssecsvr.exe 1576 mssecsvr.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\WpadDecisionTime = 006054279f9bd801 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\ae-95-de-59-f8-43 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-95-de-59-f8-43\WpadDecision = "0" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\WpadDecisionReason = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-95-de-59-f8-43\WpadDecisionReason = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B} mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\WpadNetworkName = "Network 3" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-95-de-59-f8-43 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-95-de-59-f8-43\WpadDecisionTime = 006054279f9bd801 mssecsvr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1164 wrote to memory of 2016 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 2016 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 2016 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 2016 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 2016 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 2016 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 2016 1164 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1128 2016 rundll32.exe mssecsvr.exe PID 2016 wrote to memory of 1128 2016 rundll32.exe mssecsvr.exe PID 2016 wrote to memory of 1128 2016 rundll32.exe mssecsvr.exe PID 2016 wrote to memory of 1128 2016 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53bd36e4beb02198ccdde6c3a75663c2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53bd36e4beb02198ccdde6c3a75663c2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD563a98253cce2b5a2f596ac5142b309d3
SHA1408dd5f4e660b225172b054a899bf0b374a152f1
SHA256159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8
SHA5127b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD563a98253cce2b5a2f596ac5142b309d3
SHA1408dd5f4e660b225172b054a899bf0b374a152f1
SHA256159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8
SHA5127b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD563a98253cce2b5a2f596ac5142b309d3
SHA1408dd5f4e660b225172b054a899bf0b374a152f1
SHA256159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8
SHA5127b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc
-
memory/1128-56-0x0000000000000000-mapping.dmp
-
memory/2016-54-0x0000000000000000-mapping.dmp
-
memory/2016-55-0x0000000076021000-0x0000000076023000-memory.dmpFilesize
8KB