Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
150ee2d0b2e6a3c56b572b9783de32fd.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
150ee2d0b2e6a3c56b572b9783de32fd.dll
Resource
win10v2004-20220718-en
General
-
Target
150ee2d0b2e6a3c56b572b9783de32fd.dll
-
Size
5.0MB
-
MD5
150ee2d0b2e6a3c56b572b9783de32fd
-
SHA1
fff045f439705954979fd84265e7d9cfba2947ec
-
SHA256
97bcff11001a7c764cb7e533f3e25880e50039f79d41feeede35944ba251b4d4
-
SHA512
a1a45a461a0c8a2a8421626fa6ae782e3bf7d419fb8c92a071ee76114247ccdbc5c401900955a596eb8cc58fa71a0de11b4a7557e119bc0086b4252f2fe4f487
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1250) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 940 mssecsvc.exe 1180 mssecsvc.exe 1304 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9B2463B-EE20-46F4-B5BA-E3D70C2F83EB}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-30-7e-c7-02-b9\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-30-7e-c7-02-b9 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-30-7e-c7-02-b9\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9B2463B-EE20-46F4-B5BA-E3D70C2F83EB}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9B2463B-EE20-46F4-B5BA-E3D70C2F83EB}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9B2463B-EE20-46F4-B5BA-E3D70C2F83EB} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9B2463B-EE20-46F4-B5BA-E3D70C2F83EB}\WpadDecisionTime = 0050e3c4e19bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9B2463B-EE20-46F4-B5BA-E3D70C2F83EB}\06-30-7e-c7-02-b9 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-30-7e-c7-02-b9\WpadDecisionTime = 0050e3c4e19bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 892 wrote to memory of 1272 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1272 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1272 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1272 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1272 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1272 892 rundll32.exe rundll32.exe PID 892 wrote to memory of 1272 892 rundll32.exe rundll32.exe PID 1272 wrote to memory of 940 1272 rundll32.exe mssecsvc.exe PID 1272 wrote to memory of 940 1272 rundll32.exe mssecsvc.exe PID 1272 wrote to memory of 940 1272 rundll32.exe mssecsvc.exe PID 1272 wrote to memory of 940 1272 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\150ee2d0b2e6a3c56b572b9783de32fd.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\150ee2d0b2e6a3c56b572b9783de32fd.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:940 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1304
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e8f15b2e6f0f9aa17464487ecb8c3939
SHA155ca67d41ad820326aa1cb4aa4780619654eb585
SHA25643f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f
SHA5128717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e8f15b2e6f0f9aa17464487ecb8c3939
SHA155ca67d41ad820326aa1cb4aa4780619654eb585
SHA25643f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f
SHA5128717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e8f15b2e6f0f9aa17464487ecb8c3939
SHA155ca67d41ad820326aa1cb4aa4780619654eb585
SHA25643f914802e828bdc92afa83027961494cea3f39d16149a5c76acb330405ddc3f
SHA5128717c7589303e802f456b4dfb913e6a614a8ed4577d518820c22e5dcd14f59a15406823bd4ee4cf7b36f595acdc819ca18c0da7e039af186670aad93241f1e5b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50ac08ee38e7d39ee7e3d90f573ad5d8f
SHA19e59f5beec0f2fedc275b6d7a9a60315d48e2cde
SHA256d02a2876429e039e08b74fd02007803343fa2b1f284b2674319d4286fb9ec20d
SHA512088ffba0dcaa89a81f01cccebd87755d152fbc43e702ac69325953ea5701894d77922e46a4e7c857b9a5aa2cbdfc4a42624075b926e4e8339f6d9400e522ea04
-
memory/940-56-0x0000000000000000-mapping.dmp
-
memory/1272-54-0x0000000000000000-mapping.dmp
-
memory/1272-55-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB