Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:44
Static task
static1
Behavioral task
behavioral1
Sample
4e221caf0f5a010f819d0d07cfe19aeb.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4e221caf0f5a010f819d0d07cfe19aeb.dll
Resource
win10v2004-20220718-en
General
-
Target
4e221caf0f5a010f819d0d07cfe19aeb.dll
-
Size
5.0MB
-
MD5
4e221caf0f5a010f819d0d07cfe19aeb
-
SHA1
d66ef7acbd3f163b2167948b432d8e558fa34196
-
SHA256
623d15ba5658384ea5a60431603eddfe363c3edd4eb45ecbe62afe3c625e3d35
-
SHA512
11b3b995589a8cf3fe788dce5a63461bcab8d0c959388adc16170a3e60a9213c18b513c3182fc1903f9c0a1c80d59a7a510591eadde151613dea01868b339bd2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1207) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1996 mssecsvc.exe 2012 mssecsvc.exe 1108 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\WpadDecisionTime = 5093779ce29bd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-0f-b8-e8-60-c3 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-0f-b8-e8-60-c3\WpadDecisionTime = 5093779ce29bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-0f-b8-e8-60-c3\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AA06F573-5F7E-405D-90DC-276DD283BBA3}\26-0f-b8-e8-60-c3 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-0f-b8-e8-60-c3\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1952 wrote to memory of 588 1952 rundll32.exe rundll32.exe PID 1952 wrote to memory of 588 1952 rundll32.exe rundll32.exe PID 1952 wrote to memory of 588 1952 rundll32.exe rundll32.exe PID 1952 wrote to memory of 588 1952 rundll32.exe rundll32.exe PID 1952 wrote to memory of 588 1952 rundll32.exe rundll32.exe PID 1952 wrote to memory of 588 1952 rundll32.exe rundll32.exe PID 1952 wrote to memory of 588 1952 rundll32.exe rundll32.exe PID 588 wrote to memory of 1996 588 rundll32.exe mssecsvc.exe PID 588 wrote to memory of 1996 588 rundll32.exe mssecsvc.exe PID 588 wrote to memory of 1996 588 rundll32.exe mssecsvc.exe PID 588 wrote to memory of 1996 588 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e221caf0f5a010f819d0d07cfe19aeb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e221caf0f5a010f819d0d07cfe19aeb.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:588 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1996 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1108
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5aa6d1fb0b37cf3d74ab2f03500991543
SHA1a21637b8be53a909e414f08777828521645924e2
SHA2563e0e79ceeb0a4dede37d03c8d4c332c4519121f82b4b8ad39b86fe6eaae2356b
SHA5122d41b7ccdf397839ad10364521546ee22a2eea63369e0383e135a65febeb76ca6b68069b6047d3543b30ae3af0194e45a2557ab94f317c651b5a0bcde9c7b6db
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5aa6d1fb0b37cf3d74ab2f03500991543
SHA1a21637b8be53a909e414f08777828521645924e2
SHA2563e0e79ceeb0a4dede37d03c8d4c332c4519121f82b4b8ad39b86fe6eaae2356b
SHA5122d41b7ccdf397839ad10364521546ee22a2eea63369e0383e135a65febeb76ca6b68069b6047d3543b30ae3af0194e45a2557ab94f317c651b5a0bcde9c7b6db
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5aa6d1fb0b37cf3d74ab2f03500991543
SHA1a21637b8be53a909e414f08777828521645924e2
SHA2563e0e79ceeb0a4dede37d03c8d4c332c4519121f82b4b8ad39b86fe6eaae2356b
SHA5122d41b7ccdf397839ad10364521546ee22a2eea63369e0383e135a65febeb76ca6b68069b6047d3543b30ae3af0194e45a2557ab94f317c651b5a0bcde9c7b6db
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD52d04987a5c3573c65b4af3900602fb9a
SHA17e32f31f2e4dc9eccb92ca6fe3dc89f703aae54b
SHA256b99387f5593142cfa093e0815cfa019a87be4068391cc4d842f9d034da40ec48
SHA512c75d689e76d02907b64fb8f4c30d0977d24d85d46d99eea0bf1d7b1793e1693cfeda3da4b95527b1517d856055d03b3fb113e2f117d5f4c2e1c89a4663c354d8
-
memory/588-54-0x0000000000000000-mapping.dmp
-
memory/588-55-0x0000000075E21000-0x0000000075E23000-memory.dmpFilesize
8KB
-
memory/1996-56-0x0000000000000000-mapping.dmp