Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:37
Static task
static1
Behavioral task
behavioral1
Sample
03c0458628bcbd0a22bc22a07cd999fb.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
03c0458628bcbd0a22bc22a07cd999fb.dll
Resource
win10v2004-20220414-en
General
-
Target
03c0458628bcbd0a22bc22a07cd999fb.dll
-
Size
5.0MB
-
MD5
03c0458628bcbd0a22bc22a07cd999fb
-
SHA1
663712a992874cc94b3419701bfcf03572801ba7
-
SHA256
845e35971df0eab511beea6783d7d70f3e12632b9f41240dafcb7a0ee00e2dc5
-
SHA512
647b7d74569c544d90d2cc04c2ca4179a21f2f9741a1aef40cfe785611425c59180c5bd5e5f2ecd50ad098e2dea9b57df0658182de4ba662415c6ef8419ceda3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 900 mssecsvc.exe 1560 mssecsvc.exe 1316 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD5ABDE6-A542-44FB-BBC4-452A0BE1EF0D}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD5ABDE6-A542-44FB-BBC4-452A0BE1EF0D}\56-d2-28-2d-c7-fb mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0105000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD5ABDE6-A542-44FB-BBC4-452A0BE1EF0D}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-d2-28-2d-c7-fb\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD5ABDE6-A542-44FB-BBC4-452A0BE1EF0D}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-d2-28-2d-c7-fb mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-d2-28-2d-c7-fb\WpadDecisionTime = 20c5f5ddd09bd801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD5ABDE6-A542-44FB-BBC4-452A0BE1EF0D} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CD5ABDE6-A542-44FB-BBC4-452A0BE1EF0D}\WpadDecisionTime = 20c5f5ddd09bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-d2-28-2d-c7-fb\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1660 wrote to memory of 1756 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1756 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1756 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1756 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1756 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1756 1660 rundll32.exe rundll32.exe PID 1660 wrote to memory of 1756 1660 rundll32.exe rundll32.exe PID 1756 wrote to memory of 900 1756 rundll32.exe mssecsvc.exe PID 1756 wrote to memory of 900 1756 rundll32.exe mssecsvc.exe PID 1756 wrote to memory of 900 1756 rundll32.exe mssecsvc.exe PID 1756 wrote to memory of 900 1756 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03c0458628bcbd0a22bc22a07cd999fb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03c0458628bcbd0a22bc22a07cd999fb.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:900 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1316
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a71383099dda7a0c5c036fdb8e3eb237
SHA170e3fa8f1b12cb6e00f7242dae7663a7c15f95ff
SHA256c03039b7e9cb4beb256efa0d4fdf15232108301272ce7862c2af7501e7bb4d01
SHA5123f86bd4b7d025b4d940eea8ea6fc35c2231b148b8619a83348d371090f343a91865460074188b6f099127789cd447aa5545648294e09de62e800b654cb82139c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a71383099dda7a0c5c036fdb8e3eb237
SHA170e3fa8f1b12cb6e00f7242dae7663a7c15f95ff
SHA256c03039b7e9cb4beb256efa0d4fdf15232108301272ce7862c2af7501e7bb4d01
SHA5123f86bd4b7d025b4d940eea8ea6fc35c2231b148b8619a83348d371090f343a91865460074188b6f099127789cd447aa5545648294e09de62e800b654cb82139c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a71383099dda7a0c5c036fdb8e3eb237
SHA170e3fa8f1b12cb6e00f7242dae7663a7c15f95ff
SHA256c03039b7e9cb4beb256efa0d4fdf15232108301272ce7862c2af7501e7bb4d01
SHA5123f86bd4b7d025b4d940eea8ea6fc35c2231b148b8619a83348d371090f343a91865460074188b6f099127789cd447aa5545648294e09de62e800b654cb82139c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59372de57664d7085b1040811fd7aeb54
SHA1265c0d0bce9e87a79301b32140f00840d23f0603
SHA25661e8e0e49f8986b5f25cedbe96590172221554cd8a560e83b412483d62170185
SHA5129a46a8fcee56e554536c15e5f4ef1dcd50bcfa2cadb9daa375de023dad085521355d50fdd4a701da9142078a72776e5192b0f35cf2d4abc156b986254c414335
-
memory/900-56-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x0000000000000000-mapping.dmp
-
memory/1756-55-0x0000000074F41000-0x0000000074F43000-memory.dmpFilesize
8KB