Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:34
Static task
static1
Behavioral task
behavioral1
Sample
a431e6bb7ce0b05dd9d9b408868b7d1f.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a431e6bb7ce0b05dd9d9b408868b7d1f.dll
Resource
win10v2004-20220718-en
General
-
Target
a431e6bb7ce0b05dd9d9b408868b7d1f.dll
-
Size
5.0MB
-
MD5
a431e6bb7ce0b05dd9d9b408868b7d1f
-
SHA1
1d0be1cfa868f8cc3038bf6deaa9ed38094bd13f
-
SHA256
75eaa5ae72f3f366f85c32532a66aed56c797def2c5d67d7d53c233080555958
-
SHA512
adaff706c8610e1bf6112e103575074f62548065212f225076b92e59d0df6f6cdd602763f81026b00481579b47ce2affaa308cdc76497cf2c3d75dca8a2a4000
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1315) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1996 mssecsvc.exe 1724 mssecsvc.exe 560 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c7-1a-46-0c-c4\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c7-1a-46-0c-c4\WpadDecisionTime = 40a45537e19bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c7-1a-46-0c-c4\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0916F404-CB4C-4236-B527-B9986B804060}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0916F404-CB4C-4236-B527-B9986B804060}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0916F404-CB4C-4236-B527-B9986B804060}\76-c7-1a-46-0c-c4 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0916F404-CB4C-4236-B527-B9986B804060} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0916F404-CB4C-4236-B527-B9986B804060}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-c7-1a-46-0c-c4 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0916F404-CB4C-4236-B527-B9986B804060}\WpadDecisionTime = 40a45537e19bd801 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1744 wrote to memory of 900 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 900 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 900 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 900 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 900 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 900 1744 rundll32.exe rundll32.exe PID 1744 wrote to memory of 900 1744 rundll32.exe rundll32.exe PID 900 wrote to memory of 1996 900 rundll32.exe mssecsvc.exe PID 900 wrote to memory of 1996 900 rundll32.exe mssecsvc.exe PID 900 wrote to memory of 1996 900 rundll32.exe mssecsvc.exe PID 900 wrote to memory of 1996 900 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a431e6bb7ce0b05dd9d9b408868b7d1f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a431e6bb7ce0b05dd9d9b408868b7d1f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:900 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1996 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:560
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD50523c35edcf098f1ffd3130e9cc1bab0
SHA12295b78f0f4bd7d99d86d6c3597e298d0fdf943f
SHA25647ce0898c048abd39f4bcb04343fcfa60c239f5739b4fa5bdc7a4ea5e94e0404
SHA512ff5d9e295436f8961b580bfe9f250174c85c826b078f408fdab19afddbaf400a2b3546504a070c9f1ffceab55538066e8a9380e400372c35e893aff412bd9a94
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50523c35edcf098f1ffd3130e9cc1bab0
SHA12295b78f0f4bd7d99d86d6c3597e298d0fdf943f
SHA25647ce0898c048abd39f4bcb04343fcfa60c239f5739b4fa5bdc7a4ea5e94e0404
SHA512ff5d9e295436f8961b580bfe9f250174c85c826b078f408fdab19afddbaf400a2b3546504a070c9f1ffceab55538066e8a9380e400372c35e893aff412bd9a94
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50523c35edcf098f1ffd3130e9cc1bab0
SHA12295b78f0f4bd7d99d86d6c3597e298d0fdf943f
SHA25647ce0898c048abd39f4bcb04343fcfa60c239f5739b4fa5bdc7a4ea5e94e0404
SHA512ff5d9e295436f8961b580bfe9f250174c85c826b078f408fdab19afddbaf400a2b3546504a070c9f1ffceab55538066e8a9380e400372c35e893aff412bd9a94
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5d6e25dacaff6a9b0dc0607763dead608
SHA19dc162f9e3fee6f2f080caa679bc94cdc2da7deb
SHA2567dad38154b0efcc10426d97d219effb12412931a43120e5eebbba789c0b7c163
SHA51257ed736cc62a6bbcf2b1d7d810559525d92cedf412d8e6e8d415838867881fd43d4226c74f4a89184e680fc2daf40a6d0ed95f42814a1878da9c869afdcf8cc2
-
memory/900-54-0x0000000000000000-mapping.dmp
-
memory/900-55-0x0000000076091000-0x0000000076093000-memory.dmpFilesize
8KB
-
memory/1996-56-0x0000000000000000-mapping.dmp