Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:47
Static task
static1
Behavioral task
behavioral1
Sample
5c1a36ed5985d4ffc89e336964bbf269.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5c1a36ed5985d4ffc89e336964bbf269.dll
Resource
win10v2004-20220718-en
General
-
Target
5c1a36ed5985d4ffc89e336964bbf269.dll
-
Size
5.0MB
-
MD5
5c1a36ed5985d4ffc89e336964bbf269
-
SHA1
49b6b44ce62ee79808137b0125d95e8f745f2e07
-
SHA256
c1311ce03beb66c468b2478c728706a5a24ce90452bce5b489be8753cbb25dd1
-
SHA512
fcac4679dd4ef848ca1054ffcfe9fe2fd4c9537b4046294dafcfa524ecbc6b318f6e93e72faec9ed04c6f933005eb2c5a06022fe7db0f1fafa3d0d0d4fe023bd
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1652 mssecsvc.exe 996 mssecsvc.exe 556 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-b6-0d-ab-9a-20\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-b6-0d-ab-9a-20\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-b6-0d-ab-9a-20\WpadDecisionTime = 60239a06e39bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\WpadDecisionTime = 60239a06e39bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5AB3EC69-37C3-4F68-A950-A93EE4D75C8E}\46-b6-0d-ab-9a-20 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-b6-0d-ab-9a-20 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1620 wrote to memory of 1668 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1668 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1668 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1668 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1668 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1668 1620 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1668 1620 rundll32.exe rundll32.exe PID 1668 wrote to memory of 1652 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 1652 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 1652 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 1652 1668 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c1a36ed5985d4ffc89e336964bbf269.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c1a36ed5985d4ffc89e336964bbf269.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1652 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:556
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:996
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5220274c36705fe804ae6b2faaf99eb10
SHA19d190c6113ab466a9966ce550d40682e065479e7
SHA2567a2eaa20332f03e4779b1dc31dff8704a06074708d07efb342c9ffbc5b2cbc0c
SHA51269ee5d81bc870d2aee0470c66820572a6e5e6835a2f74a92bd111c188514894fa943b87f3302cdbc07eae54b589f3dabbd07a0e878acad61816fb9c4440ec08a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5220274c36705fe804ae6b2faaf99eb10
SHA19d190c6113ab466a9966ce550d40682e065479e7
SHA2567a2eaa20332f03e4779b1dc31dff8704a06074708d07efb342c9ffbc5b2cbc0c
SHA51269ee5d81bc870d2aee0470c66820572a6e5e6835a2f74a92bd111c188514894fa943b87f3302cdbc07eae54b589f3dabbd07a0e878acad61816fb9c4440ec08a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5220274c36705fe804ae6b2faaf99eb10
SHA19d190c6113ab466a9966ce550d40682e065479e7
SHA2567a2eaa20332f03e4779b1dc31dff8704a06074708d07efb342c9ffbc5b2cbc0c
SHA51269ee5d81bc870d2aee0470c66820572a6e5e6835a2f74a92bd111c188514894fa943b87f3302cdbc07eae54b589f3dabbd07a0e878acad61816fb9c4440ec08a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53adf6b96f2e61aa2d8295b4e39fb918a
SHA125f503afaccc40f3dec5e15dedc319d84c011699
SHA25649de68ee93acd2e1fd0054e1f0d9aae9d40a75383ad085744a34f6a7e001de9f
SHA512a5f95d7d4636c87d5b81d9e60337dd13c712a8f91ee7c06911f21ccb3b6d41c6bb992ceb08fc9b1d79a2a8ff1f2d53f2fb34cfe34f864c1c7f137a743ddde374
-
memory/1652-56-0x0000000000000000-mapping.dmp
-
memory/1668-54-0x0000000000000000-mapping.dmp
-
memory/1668-55-0x00000000756C1000-0x00000000756C3000-memory.dmpFilesize
8KB