Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:18
Static task
static1
Behavioral task
behavioral1
Sample
fa9bb5a74ad749bb95240fa0083b35c6.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
fa9bb5a74ad749bb95240fa0083b35c6.dll
Resource
win10v2004-20220718-en
General
-
Target
fa9bb5a74ad749bb95240fa0083b35c6.dll
-
Size
5.0MB
-
MD5
fa9bb5a74ad749bb95240fa0083b35c6
-
SHA1
f719d58e07c62fe657c7410605312c6214aaa80e
-
SHA256
95f9847e020b97c1a3bc47d33c15da892958bb76c95153696eda1f13e454ddf5
-
SHA512
84d18a8d85ed3e92703cd4a2fe9e5350d418ad6aea80adf6ac85e7cb4f821e183af6a8b2abca50b40654d0d462a4a2817e6d39d7d3ef17f90f0c0e67b6fe0771
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1269) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1912 mssecsvc.exe 1652 mssecsvc.exe 912 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\06-5e-a2-7c-72-e4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecisionTime = 700bc7f9de9bd801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecisionTime = 700bc7f9de9bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1912 1600 rundll32.exe mssecsvc.exe PID 1600 wrote to memory of 1912 1600 rundll32.exe mssecsvc.exe PID 1600 wrote to memory of 1912 1600 rundll32.exe mssecsvc.exe PID 1600 wrote to memory of 1912 1600 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa9bb5a74ad749bb95240fa0083b35c6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa9bb5a74ad749bb95240fa0083b35c6.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1912 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:912
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5dd9c27cab3dd0131d886d09f9cd68e72
SHA17410c25403515861e3cf9ef18ecb04fdd809da5d
SHA2561727394428b5277b0c32931f15d2a464970b2f3647545c0126628891868db4d6
SHA51215e4df392e45685ce63853a06753bcb3fdae1097d2c878fc4c03069610bdea7ba95baf892cfc9e5c526d7b8246856049368d88f78e9a25f6ca53b92a0d5ccd36
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5dd9c27cab3dd0131d886d09f9cd68e72
SHA17410c25403515861e3cf9ef18ecb04fdd809da5d
SHA2561727394428b5277b0c32931f15d2a464970b2f3647545c0126628891868db4d6
SHA51215e4df392e45685ce63853a06753bcb3fdae1097d2c878fc4c03069610bdea7ba95baf892cfc9e5c526d7b8246856049368d88f78e9a25f6ca53b92a0d5ccd36
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5dd9c27cab3dd0131d886d09f9cd68e72
SHA17410c25403515861e3cf9ef18ecb04fdd809da5d
SHA2561727394428b5277b0c32931f15d2a464970b2f3647545c0126628891868db4d6
SHA51215e4df392e45685ce63853a06753bcb3fdae1097d2c878fc4c03069610bdea7ba95baf892cfc9e5c526d7b8246856049368d88f78e9a25f6ca53b92a0d5ccd36
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59c41886937fa59911c99a546c54a6a6b
SHA1065317b9c188e612d9a32ad41d7158d803c96f3d
SHA256c71a6b911888a1144215f78c3f89c41532de72e36498565183a5f7e0150a3d01
SHA5129774e4d89b772ca63389f72a2f89b44e5ab4fef8607cc873e9b904dd3e2b5a982856dd42e4d2c37b9b97fd8bd193b8fa3ce187b28ecc1f688202c125932535ab
-
memory/1600-54-0x0000000000000000-mapping.dmp
-
memory/1600-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1912-56-0x0000000000000000-mapping.dmp