Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:42
Static task
static1
Behavioral task
behavioral1
Sample
ecce5039634ff774782109f78831fab2.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ecce5039634ff774782109f78831fab2.dll
Resource
win10v2004-20220718-en
General
-
Target
ecce5039634ff774782109f78831fab2.dll
-
Size
5.0MB
-
MD5
ecce5039634ff774782109f78831fab2
-
SHA1
201cf971c2c4aa8e99121ccc1b4f403730d0ade8
-
SHA256
8d7960d4c8943d901f5e435bcc4406027ba814733b0b3c2e16f8b265df83dd53
-
SHA512
3ee99d676596885435f616e13dcb356e2f5d7733da8387ae780f32a86179b4cfb721525f789af4d2fa6f3ad7bd6204b1885a0a06c9f9bb84bc2ece54c3351ec7
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (965) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 888 mssecsvc.exe 1152 mssecsvc.exe 392 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\aa-9a-b0-7d-5c-4f mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9a-b0-7d-5c-4f\WpadDecisionTime = d0f4dc64e29bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\WpadDecisionTime = d0f4dc64e29bd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9a-b0-7d-5c-4f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9a-b0-7d-5c-4f\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00be000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CC7B9447-BD8D-4E20-895C-6B6F7836A7AF}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9a-b0-7d-5c-4f\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1028 wrote to memory of 1888 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 1888 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 1888 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 1888 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 1888 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 1888 1028 rundll32.exe rundll32.exe PID 1028 wrote to memory of 1888 1028 rundll32.exe rundll32.exe PID 1888 wrote to memory of 888 1888 rundll32.exe mssecsvc.exe PID 1888 wrote to memory of 888 1888 rundll32.exe mssecsvc.exe PID 1888 wrote to memory of 888 1888 rundll32.exe mssecsvc.exe PID 1888 wrote to memory of 888 1888 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecce5039634ff774782109f78831fab2.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecce5039634ff774782109f78831fab2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:888 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:392
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1152
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a425528f249d2888378de9f8300af9cb
SHA1d4987b17422d3ab83307a8358d1749a717d3fd1b
SHA2564306cb0038e00851ab6c9989adfcf5c9ea9107a4fb3552dc9d7732622c1111af
SHA512f749b65cc8c0bcb9cbf5c5219f25ceb713f239c716cb6a2ba373e2cd2613bdb92818c6e0b907bf4f9d5c8a31598e306ca4f966eff4e492bb05ac40301fb20617
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a425528f249d2888378de9f8300af9cb
SHA1d4987b17422d3ab83307a8358d1749a717d3fd1b
SHA2564306cb0038e00851ab6c9989adfcf5c9ea9107a4fb3552dc9d7732622c1111af
SHA512f749b65cc8c0bcb9cbf5c5219f25ceb713f239c716cb6a2ba373e2cd2613bdb92818c6e0b907bf4f9d5c8a31598e306ca4f966eff4e492bb05ac40301fb20617
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a425528f249d2888378de9f8300af9cb
SHA1d4987b17422d3ab83307a8358d1749a717d3fd1b
SHA2564306cb0038e00851ab6c9989adfcf5c9ea9107a4fb3552dc9d7732622c1111af
SHA512f749b65cc8c0bcb9cbf5c5219f25ceb713f239c716cb6a2ba373e2cd2613bdb92818c6e0b907bf4f9d5c8a31598e306ca4f966eff4e492bb05ac40301fb20617
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD579bc33ad0c61b11edca10c373137ace7
SHA15c56289d0fdb2391f8c36c5fcca1085ab28f8b52
SHA256f9fdf806b56b1b71fcab1613d3c1761bdae006d432e3508bd16a6b04e092320f
SHA5127acffdbe1435fe45108010c4dfc6150d44b66e04df533d749276912ece7a9724e87b10e9c71c6da4b84d80712126d7775dd34cb5d72eb02f13cadbc35ca5d0c5
-
memory/888-56-0x0000000000000000-mapping.dmp
-
memory/1888-54-0x0000000000000000-mapping.dmp
-
memory/1888-55-0x0000000075DC1000-0x0000000075DC3000-memory.dmpFilesize
8KB