Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:14
Static task
static1
Behavioral task
behavioral1
Sample
e08433353038ad755bf8b3abbc2c7bad.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
e08433353038ad755bf8b3abbc2c7bad.dll
Resource
win10v2004-20220414-en
General
-
Target
e08433353038ad755bf8b3abbc2c7bad.dll
-
Size
5.0MB
-
MD5
e08433353038ad755bf8b3abbc2c7bad
-
SHA1
679b5cf2405c6952c74ac89e8d397bb328562c50
-
SHA256
8fcbc80aa6c30b9d4a3a6404eb2d593186c50e85a66aa84408d4b600d29fd021
-
SHA512
1c81fc270c713e83f3acfd5fcd55e66b8e2e514225006cf6339695300fa3556d668e102a63ce30576549c7cdbb792a64f908181566be526476affc7f0de1f7c2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1952 mssecsvc.exe 1648 mssecsvc.exe 984 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecisionTime = 2093646bde9bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecisionTime = 2093646bde9bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\06-5e-a2-7c-72-e4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1904 wrote to memory of 608 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 608 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 608 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 608 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 608 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 608 1904 rundll32.exe rundll32.exe PID 1904 wrote to memory of 608 1904 rundll32.exe rundll32.exe PID 608 wrote to memory of 1952 608 rundll32.exe mssecsvc.exe PID 608 wrote to memory of 1952 608 rundll32.exe mssecsvc.exe PID 608 wrote to memory of 1952 608 rundll32.exe mssecsvc.exe PID 608 wrote to memory of 1952 608 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e08433353038ad755bf8b3abbc2c7bad.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e08433353038ad755bf8b3abbc2c7bad.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:608 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:984
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1648
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5f1e421fe552bd08b838795e83088cf22
SHA12b1229c0dde4f721c131be6f29fd25bdc15db305
SHA256bf741fabfab88823ef02edd0fc58141e1cf065ff576dc37dd6714ca1d5937f60
SHA512937fc8390364045f666a9539d98518e02d1e1c40314c385bf1fc0850f90ff495b2c28aa2aea3d23653c51dadb9fdab0bd185504a7190321966ba2a091b8d473c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f1e421fe552bd08b838795e83088cf22
SHA12b1229c0dde4f721c131be6f29fd25bdc15db305
SHA256bf741fabfab88823ef02edd0fc58141e1cf065ff576dc37dd6714ca1d5937f60
SHA512937fc8390364045f666a9539d98518e02d1e1c40314c385bf1fc0850f90ff495b2c28aa2aea3d23653c51dadb9fdab0bd185504a7190321966ba2a091b8d473c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f1e421fe552bd08b838795e83088cf22
SHA12b1229c0dde4f721c131be6f29fd25bdc15db305
SHA256bf741fabfab88823ef02edd0fc58141e1cf065ff576dc37dd6714ca1d5937f60
SHA512937fc8390364045f666a9539d98518e02d1e1c40314c385bf1fc0850f90ff495b2c28aa2aea3d23653c51dadb9fdab0bd185504a7190321966ba2a091b8d473c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b9b7922922480340d8449411aa8c3e6f
SHA1fc2150b3227c501dec8bb710afcb3d9a87c47c75
SHA256e3ec13c00d49102cb7088d717af16a3e78d558f6d64cfcf8312ce2de561524b9
SHA5126809ba27785c2e75ffecb73fe97f793bb8c0260b5b8bbab33409af7cf9b0f07211e7a142da09b0d154e5ed42eeadada424a7ab3e1d6af762396fd86b60e5ac87
-
memory/608-54-0x0000000000000000-mapping.dmp
-
memory/608-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1952-56-0x0000000000000000-mapping.dmp