Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:33
Static task
static1
Behavioral task
behavioral1
Sample
63c573c0e2eb59009ef97da2ecf73f0e.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
63c573c0e2eb59009ef97da2ecf73f0e.dll
Resource
win10v2004-20220718-en
General
-
Target
63c573c0e2eb59009ef97da2ecf73f0e.dll
-
Size
5.0MB
-
MD5
63c573c0e2eb59009ef97da2ecf73f0e
-
SHA1
37190dc39e54b87cf0447baf3586f46e44b0f25f
-
SHA256
aec918fc5527c8960921c04c7abbcf3aadcb5d8f0aa6862c6d6be68e28771a68
-
SHA512
4dc76ecac022bda0dd76cab6e1bbf6774663be1a19d120c13e45ce80c07ef8091c2126d1c341fe87da2d32a7ed0c05afbdfca25f8503d95c653bacaa14be2055
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1704 mssecsvc.exe 1548 mssecsvc.exe 1712 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F363206D-C89B-4C23-8337-A926BC36CB0D}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-ab-99-2e-89-9d mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-ab-99-2e-89-9d\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-ab-99-2e-89-9d\WpadDecisionTime = c0cdfa4ed09bd801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-ab-99-2e-89-9d\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F363206D-C89B-4C23-8337-A926BC36CB0D}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F363206D-C89B-4C23-8337-A926BC36CB0D} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F363206D-C89B-4C23-8337-A926BC36CB0D}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F363206D-C89B-4C23-8337-A926BC36CB0D}\36-ab-99-2e-89-9d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F363206D-C89B-4C23-8337-A926BC36CB0D}\WpadDecisionTime = c0cdfa4ed09bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1680 wrote to memory of 828 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 828 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 828 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 828 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 828 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 828 1680 rundll32.exe rundll32.exe PID 1680 wrote to memory of 828 1680 rundll32.exe rundll32.exe PID 828 wrote to memory of 1704 828 rundll32.exe mssecsvc.exe PID 828 wrote to memory of 1704 828 rundll32.exe mssecsvc.exe PID 828 wrote to memory of 1704 828 rundll32.exe mssecsvc.exe PID 828 wrote to memory of 1704 828 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63c573c0e2eb59009ef97da2ecf73f0e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63c573c0e2eb59009ef97da2ecf73f0e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:828 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1704 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1712
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1548
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5831d52f31a6a17f83e537cd88fb7cb45
SHA1a0438282a960785beec3d9883b30f52096d15fd5
SHA2567c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914
SHA5122abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5831d52f31a6a17f83e537cd88fb7cb45
SHA1a0438282a960785beec3d9883b30f52096d15fd5
SHA2567c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914
SHA5122abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5831d52f31a6a17f83e537cd88fb7cb45
SHA1a0438282a960785beec3d9883b30f52096d15fd5
SHA2567c8c62652776124e5677090240da894daa838fb8b4a6ced0631523dc8b7e8914
SHA5122abfedabc833fb03db733d8e615e6d07ef291107aec7f68d3aea6867ade5c53d02a1caa97d292a2f34d5a14e57f163e300f7452b076ea71fd3846729c05e9bb6
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD535b29eb65b8155ffddce5b739c464334
SHA12ee26d2ffae3d9c7e22fdca9ceba8224104a76da
SHA256ce57ff23fb05e36a1633a8952a3c9a660883b8a7783c5ca17cf448a6b9d94209
SHA512543d399ea56484a085392c1ece2ccfaad6011980d088038aa320adc1e969b958722250849f7e15f9da8c1ee8bf7ece0763d746c998f9fc6068f732fbf4eab392
-
memory/828-54-0x0000000000000000-mapping.dmp
-
memory/828-55-0x0000000076901000-0x0000000076903000-memory.dmpFilesize
8KB
-
memory/1704-56-0x0000000000000000-mapping.dmp