Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:34
Static task
static1
Behavioral task
behavioral1
Sample
2dec2553068c0e7f3a4506bf410260ad.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
2dec2553068c0e7f3a4506bf410260ad.dll
Resource
win10v2004-20220414-en
General
-
Target
2dec2553068c0e7f3a4506bf410260ad.dll
-
Size
5.0MB
-
MD5
2dec2553068c0e7f3a4506bf410260ad
-
SHA1
5970b85c06cbadf33567b1c05bc650e4a5978b31
-
SHA256
f3422d64bb63fb12ffb95cee19fa02f14c83d7bffdfa443eb6a0c460da70d8dd
-
SHA512
294811fc7352fc94a06bcd25e1cae2e2682ceddb633211ee156fa088c6dff727fa092cdde113bbbcb6cb24926b197f1eddd1974f49eb7e090e7e2eab1b073d8b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 668 mssecsvc.exe 1896 mssecsvc.exe 1700 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecisionTime = 8030ae73d09bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecisionTime = 8030ae73d09bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\4e-00-ff-75-0c-a4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1432 wrote to memory of 1188 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1188 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1188 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1188 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1188 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1188 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1188 1432 rundll32.exe rundll32.exe PID 1188 wrote to memory of 668 1188 rundll32.exe mssecsvc.exe PID 1188 wrote to memory of 668 1188 rundll32.exe mssecsvc.exe PID 1188 wrote to memory of 668 1188 rundll32.exe mssecsvc.exe PID 1188 wrote to memory of 668 1188 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2dec2553068c0e7f3a4506bf410260ad.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2dec2553068c0e7f3a4506bf410260ad.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:668 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1700
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5df432148530b9908d656f1bd759fbf2d
SHA15011840074ed8bc8c4085e76dc4eb5afc3f13024
SHA2569ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d
SHA5126fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5df432148530b9908d656f1bd759fbf2d
SHA15011840074ed8bc8c4085e76dc4eb5afc3f13024
SHA2569ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d
SHA5126fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5df432148530b9908d656f1bd759fbf2d
SHA15011840074ed8bc8c4085e76dc4eb5afc3f13024
SHA2569ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d
SHA5126fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD576d06d2096fe49ac97c2bf21709bbba4
SHA1a7df08006ceafb441271c615c2e1d67218ba81a1
SHA256945f2bb56bfef539d0404194bb7a7ac1f79b2307c33c8b196078c7b16bba098c
SHA512b29a68783506989f55eaf6bf160ab285f4579e62e8ca01ad9ef3f4cfd460832a703641a52332a4880b3f8e5d5a63cde897776dd2756b9b9e930280e8dcfd0031
-
memory/668-56-0x0000000000000000-mapping.dmp
-
memory/1188-54-0x0000000000000000-mapping.dmp
-
memory/1188-55-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB