Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:46
Static task
static1
Behavioral task
behavioral1
Sample
1979f40a1a6ea5d1b3765d51106e1a59.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
1979f40a1a6ea5d1b3765d51106e1a59.dll
Resource
win10v2004-20220414-en
General
-
Target
1979f40a1a6ea5d1b3765d51106e1a59.dll
-
Size
5.0MB
-
MD5
1979f40a1a6ea5d1b3765d51106e1a59
-
SHA1
fa2aabea035923395843146ee3c94b80776a1911
-
SHA256
75cb9bdda5938f729989ffcc4359c9696c23ff2fd31f0ac46aafd3c62f8b14d1
-
SHA512
ec2d6234ce758e31d56cb0f7f6666bbecd731adae0d7d9fe1d98fa79af37aa65a23eb3deabd261b2743c690f29361b183736cded9203e933ec36c3af8fc1fe3d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1543) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1560 mssecsvc.exe 1248 mssecsvc.exe 1772 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecisionTime = 90d46a1fd29bd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecisionTime = 90d46a1fd29bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76705A9A-E53A-489F-8D0E-78AAB2EBC281}\ae-1d-a5-c5-14-08 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-1d-a5-c5-14-08\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1836 wrote to memory of 2024 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2024 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2024 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2024 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2024 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2024 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2024 1836 rundll32.exe rundll32.exe PID 2024 wrote to memory of 1560 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 1560 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 1560 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 1560 2024 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1979f40a1a6ea5d1b3765d51106e1a59.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1979f40a1a6ea5d1b3765d51106e1a59.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1560 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1772
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD556a011bd22804db1f0dd157564ed43a2
SHA1e2c910f85f8788aa2d8ac98e4654831a44dcb138
SHA256ace331ef636ed0aac15f44052ed151fdceef40ad9163b20e940804713f20f7d6
SHA5129bbe82da7a81d133c610de4983d8ac3aa3ec37f59fd74b0f620afe113ad28f943cabc59053513be22b3338e10ee4c552cc7f99025692ffac1f1c7f57decfc713
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD556a011bd22804db1f0dd157564ed43a2
SHA1e2c910f85f8788aa2d8ac98e4654831a44dcb138
SHA256ace331ef636ed0aac15f44052ed151fdceef40ad9163b20e940804713f20f7d6
SHA5129bbe82da7a81d133c610de4983d8ac3aa3ec37f59fd74b0f620afe113ad28f943cabc59053513be22b3338e10ee4c552cc7f99025692ffac1f1c7f57decfc713
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD556a011bd22804db1f0dd157564ed43a2
SHA1e2c910f85f8788aa2d8ac98e4654831a44dcb138
SHA256ace331ef636ed0aac15f44052ed151fdceef40ad9163b20e940804713f20f7d6
SHA5129bbe82da7a81d133c610de4983d8ac3aa3ec37f59fd74b0f620afe113ad28f943cabc59053513be22b3338e10ee4c552cc7f99025692ffac1f1c7f57decfc713
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7
-
memory/1560-56-0x0000000000000000-mapping.dmp
-
memory/2024-54-0x0000000000000000-mapping.dmp
-
memory/2024-55-0x00000000752D1000-0x00000000752D3000-memory.dmpFilesize
8KB