Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
ae35c36bea9319e3456f00994d49c955.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ae35c36bea9319e3456f00994d49c955.dll
Resource
win10v2004-20220718-en
General
-
Target
ae35c36bea9319e3456f00994d49c955.dll
-
Size
5.0MB
-
MD5
ae35c36bea9319e3456f00994d49c955
-
SHA1
930ffa486221f212895d298eeb9c7e98d3303810
-
SHA256
682a18a241d9b0430472694cd5822e14165b6d343ef46247d266e724f4c5ced2
-
SHA512
b492e9a61530b41149d9def1c30f5b61e0ba4d12952e608cb9e8798a3e4169ae67264e40ba50d7d77dc601f3a172aa735277e450de9703b83dca3576b7ea08ac
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1656 mssecsvc.exe 340 mssecsvc.exe 520 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecisionTime = c0da8630e29bd801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\9a-07-c5-c5-06-77 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecisionTime = c0da8630e29bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1948 wrote to memory of 896 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 896 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 896 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 896 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 896 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 896 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 896 1948 rundll32.exe rundll32.exe PID 896 wrote to memory of 1656 896 rundll32.exe mssecsvc.exe PID 896 wrote to memory of 1656 896 rundll32.exe mssecsvc.exe PID 896 wrote to memory of 1656 896 rundll32.exe mssecsvc.exe PID 896 wrote to memory of 1656 896 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae35c36bea9319e3456f00994d49c955.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae35c36bea9319e3456f00994d49c955.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:896 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1656 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:520
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD517156cdc3d6c5e68be202aecf2e7c419
SHA1ea9e39a5463ae1c55d9f659a0b706d3d516462d2
SHA256bd3f0154d4299e0708b3e32b0d440546725a6abf856b4392299b44946a94fbea
SHA512740ed7123d10fd91f1e4623356ca0addddce2a3c8fae23cafd821890ec5d25dee599bb6dbb8858b479e1c4fa2af7c16f49d0cae324763c559c080e1940de1c0c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD517156cdc3d6c5e68be202aecf2e7c419
SHA1ea9e39a5463ae1c55d9f659a0b706d3d516462d2
SHA256bd3f0154d4299e0708b3e32b0d440546725a6abf856b4392299b44946a94fbea
SHA512740ed7123d10fd91f1e4623356ca0addddce2a3c8fae23cafd821890ec5d25dee599bb6dbb8858b479e1c4fa2af7c16f49d0cae324763c559c080e1940de1c0c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD517156cdc3d6c5e68be202aecf2e7c419
SHA1ea9e39a5463ae1c55d9f659a0b706d3d516462d2
SHA256bd3f0154d4299e0708b3e32b0d440546725a6abf856b4392299b44946a94fbea
SHA512740ed7123d10fd91f1e4623356ca0addddce2a3c8fae23cafd821890ec5d25dee599bb6dbb8858b479e1c4fa2af7c16f49d0cae324763c559c080e1940de1c0c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD584a3bcc88e986e51b09336dec5cdf70f
SHA10055217de8cc80a341c4950607f8e1a2ec49f75e
SHA256bff5fa6cf223b458a703d6a2acdb1977a455d99dbeae5c05fe7f23f069bcbc61
SHA51270de79a19dc48c6d6d598acffd8b7b0095e458ffa1c31e2c6e4ee3d907716e9ea1b72c438ab64da74957127cd21cce0d4a3d432f1dabf66c5b9fd2286eb7593a
-
memory/896-54-0x0000000000000000-mapping.dmp
-
memory/896-55-0x0000000075301000-0x0000000075303000-memory.dmpFilesize
8KB
-
memory/1656-56-0x0000000000000000-mapping.dmp