Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:41
Static task
static1
Behavioral task
behavioral1
Sample
16ce86d5d1cf3e2dd93aaec1b3394ef2.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
16ce86d5d1cf3e2dd93aaec1b3394ef2.dll
Resource
win10v2004-20220414-en
General
-
Target
16ce86d5d1cf3e2dd93aaec1b3394ef2.dll
-
Size
5.0MB
-
MD5
16ce86d5d1cf3e2dd93aaec1b3394ef2
-
SHA1
5dae16978a5b8f1964e04ac2145541b0ad2b52f3
-
SHA256
778a55a3dab38862e2eda45f619cdb44baa804a1c165f0db8c600ec1b1faaf64
-
SHA512
117bae2ed24ff5d39d18a9d7209ef9ef56c8c21977b4c268123ac5df46d294254603113aba45b74183556fe7ac8b00375322b071e5cb4a491d2704cd47706f39
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 536 mssecsvc.exe 1760 mssecsvc.exe 1236 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecisionTime = 00547830e29bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecisionTime = 00547830e29bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\a2-7a-30-fb-3f-0e mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-7a-30-fb-3f-0e\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7342CC2-F467-4277-893B-3256E81CF5D8}\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2036 wrote to memory of 1276 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1276 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1276 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1276 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1276 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1276 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 1276 2036 rundll32.exe rundll32.exe PID 1276 wrote to memory of 536 1276 rundll32.exe mssecsvc.exe PID 1276 wrote to memory of 536 1276 rundll32.exe mssecsvc.exe PID 1276 wrote to memory of 536 1276 rundll32.exe mssecsvc.exe PID 1276 wrote to memory of 536 1276 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16ce86d5d1cf3e2dd93aaec1b3394ef2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\16ce86d5d1cf3e2dd93aaec1b3394ef2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:536 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1236
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1760
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a0cb6b0dc5d228429065fbc33c2f585d
SHA107726f67a00ad36476dfa5dca830129324d6b223
SHA25606fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3
SHA51289680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a0cb6b0dc5d228429065fbc33c2f585d
SHA107726f67a00ad36476dfa5dca830129324d6b223
SHA25606fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3
SHA51289680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a0cb6b0dc5d228429065fbc33c2f585d
SHA107726f67a00ad36476dfa5dca830129324d6b223
SHA25606fd85227f456e59ae19c46a7cefdc41cafadecb53ba6c25ceec9abda8d606b3
SHA51289680cdd995c9d2acfcfd9881f58e7e4693d2a7545a9c894af266ffa6a301362a6653ed070f06808fbf3c9fd811a300096a7b095c6ffb072348f2f8b9a247e18
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ea7d7a7f1e10874a3e94cd08628083db
SHA141f862f9eeee5acf802eaf2bfc9b2c0bb862f82f
SHA25606b22b278a2ebcf74be43cfee41826342cc118bb570e7833ecf53e1d1a521ba6
SHA5129a85dedc93b8bf73cf8d58eadd0b536c4c7c0ecc03af1bf4ffb40561e3eb72a8eaa7f3fca070f2afd47334365adba941df7e3b3fcfa23f7762a97fa4d4897bed
-
memory/536-56-0x0000000000000000-mapping.dmp
-
memory/1276-54-0x0000000000000000-mapping.dmp
-
memory/1276-55-0x0000000075D51000-0x0000000075D53000-memory.dmpFilesize
8KB