Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
7f97f07acd6ebae1ae1e25728c8e5718.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
7f97f07acd6ebae1ae1e25728c8e5718.dll
Resource
win10v2004-20220414-en
General
-
Target
7f97f07acd6ebae1ae1e25728c8e5718.dll
-
Size
5.0MB
-
MD5
7f97f07acd6ebae1ae1e25728c8e5718
-
SHA1
f0a286bbd4954fa0a3c70cda523b51e3f5a873dd
-
SHA256
a414c88ea3abea18940a7cfa966006ec106c8194854dca735791340516a6ddbd
-
SHA512
10b56fdfac0612f72cfbecc274f9b43647fc4658a38cf11af9847a9be140d47861d76481004ac94a41026e3ea772376127ebcd7e6b6add441d9aa93e697c2b6d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (628) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1812 mssecsvc.exe 620 mssecsvc.exe 392 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\WpadDecisionTime = b0252a66e29bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-42-93-21-4d-8b\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-42-93-21-4d-8b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-42-93-21-4d-8b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69852850-24A8-40F7-B6FE-ABD752F75237}\2a-42-93-21-4d-8b mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-42-93-21-4d-8b\WpadDecisionTime = b0252a66e29bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 608 wrote to memory of 1596 608 rundll32.exe rundll32.exe PID 608 wrote to memory of 1596 608 rundll32.exe rundll32.exe PID 608 wrote to memory of 1596 608 rundll32.exe rundll32.exe PID 608 wrote to memory of 1596 608 rundll32.exe rundll32.exe PID 608 wrote to memory of 1596 608 rundll32.exe rundll32.exe PID 608 wrote to memory of 1596 608 rundll32.exe rundll32.exe PID 608 wrote to memory of 1596 608 rundll32.exe rundll32.exe PID 1596 wrote to memory of 1812 1596 rundll32.exe mssecsvc.exe PID 1596 wrote to memory of 1812 1596 rundll32.exe mssecsvc.exe PID 1596 wrote to memory of 1812 1596 rundll32.exe mssecsvc.exe PID 1596 wrote to memory of 1812 1596 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f97f07acd6ebae1ae1e25728c8e5718.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f97f07acd6ebae1ae1e25728c8e5718.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1812 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:392
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5fdd413bd48b8e870615b57b6d70e919a
SHA17b5db8f9695da121ad5ab038a763971c5fac8bdd
SHA256ab312f2bc2503ae9e62ae95df973f729f13ee5dc923b0a1fe599b490f9a78b2d
SHA512aa15905f21a790ddbbe8ac0928b955de9bc0f1bc771effdf8e1128ace3de97c53c3f1e3541d17f7a85b7f1afc6b4f5c4828663f24a45a9eab1df7fef25e911f1
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fdd413bd48b8e870615b57b6d70e919a
SHA17b5db8f9695da121ad5ab038a763971c5fac8bdd
SHA256ab312f2bc2503ae9e62ae95df973f729f13ee5dc923b0a1fe599b490f9a78b2d
SHA512aa15905f21a790ddbbe8ac0928b955de9bc0f1bc771effdf8e1128ace3de97c53c3f1e3541d17f7a85b7f1afc6b4f5c4828663f24a45a9eab1df7fef25e911f1
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fdd413bd48b8e870615b57b6d70e919a
SHA17b5db8f9695da121ad5ab038a763971c5fac8bdd
SHA256ab312f2bc2503ae9e62ae95df973f729f13ee5dc923b0a1fe599b490f9a78b2d
SHA512aa15905f21a790ddbbe8ac0928b955de9bc0f1bc771effdf8e1128ace3de97c53c3f1e3541d17f7a85b7f1afc6b4f5c4828663f24a45a9eab1df7fef25e911f1
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53cd12bc33759850852afe8ecdc8ab09f
SHA18ed34809398e16f470eca7bc33142be36de7ae44
SHA256360768fb57d8baa76fe544fb52893bca68f48e07f486263d2a187274cb3548cc
SHA5120a5702fdfe5576d7da1880a771c99b74e85c01c56d11a65ec0f1a28e27ddba50a0ec23ad596dd4d8249e41a847ce0e9ee8bece9bf4198dd85180b3d61fc6d23a
-
memory/1596-54-0x0000000000000000-mapping.dmp
-
memory/1596-55-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB
-
memory/1812-56-0x0000000000000000-mapping.dmp