Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:37
Static task
static1
Behavioral task
behavioral1
Sample
db46a4b5602028e2dfbfe66f18ddb03e.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
db46a4b5602028e2dfbfe66f18ddb03e.dll
Resource
win10v2004-20220414-en
General
-
Target
db46a4b5602028e2dfbfe66f18ddb03e.dll
-
Size
5.0MB
-
MD5
db46a4b5602028e2dfbfe66f18ddb03e
-
SHA1
9fd7d3d26e152c61d34d02b5279a03d590cb6276
-
SHA256
24ee543a7b55c9737f32d04577660d274670a9394f7442710940f890f9a858cb
-
SHA512
42a14d80b222fe2a681d62426398c3fbc7dc8341045b7c7fa0c7ad7eba5830c56db26da151f6e7469d5bf8e87df36cac94ef27dfd2e02f7f6c104a0cbe674155
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1245) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 1912 mssecsvr.exe 1316 mssecsvr.exe 1892 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe -
Drops file in Windows directory 4 IoCs
Processes:
tasksche.exerundll32.exemssecsvr.exedescription ioc process File created C:\Windows\eee.exe tasksche.exe File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_7085612 tasksche.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\06-5e-a2-7c-72-e4 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecision = "0" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecision = "0" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA} mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecisionTime = 609b14a2e19bd801 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadDecisionReason = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{458370D2-F5F5-4CF0-84A5-E9A8FC58ECAA}\WpadNetworkName = "Network 3" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecisionReason = "1" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-5e-a2-7c-72-e4\WpadDecisionTime = 609b14a2e19bd801 mssecsvr.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
rundll32.exerundll32.exemssecsvr.exedescription pid process target process PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 996 wrote to memory of 1600 996 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1912 1600 rundll32.exe mssecsvr.exe PID 1600 wrote to memory of 1912 1600 rundll32.exe mssecsvr.exe PID 1600 wrote to memory of 1912 1600 rundll32.exe mssecsvr.exe PID 1600 wrote to memory of 1912 1600 rundll32.exe mssecsvr.exe PID 1912 wrote to memory of 1892 1912 mssecsvr.exe tasksche.exe PID 1912 wrote to memory of 1892 1912 mssecsvr.exe tasksche.exe PID 1912 wrote to memory of 1892 1912 mssecsvr.exe tasksche.exe PID 1912 wrote to memory of 1892 1912 mssecsvr.exe tasksche.exe PID 1912 wrote to memory of 1892 1912 mssecsvr.exe tasksche.exe PID 1912 wrote to memory of 1892 1912 mssecsvr.exe tasksche.exe PID 1912 wrote to memory of 1892 1912 mssecsvr.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db46a4b5602028e2dfbfe66f18ddb03e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db46a4b5602028e2dfbfe66f18ddb03e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1892
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD549f826ec9f9616dd4bdc60adb295a192
SHA1d548b2ef2dd8dd00eab22678a69449e80dca154b
SHA256a82bd3c02c58381abed46b0dd4758d00c3f5ea4675cbf65ff67f26686f43985a
SHA512006f5b043a950d39d9bb8baea7919ce8a9f8120166fcb2a01fdd1bef1fd1f5db20b4c8141a90b52f67a8a4f51fb83658be28820754c72c7f8ff15889d6193709
-
C:\WINDOWS\tasksche.exeFilesize
2.0MB
MD54ea2a08593aca265499ebca88db8d086
SHA15d9427fc8304d771c9518ede2cd32bdb21cc712f
SHA256e288d806266c50e3aaf13fa7fbd587a81f9858e2857200328d493f627f74e891
SHA51276af1d8e74a59bc6ff55e9395251f32f8c7ac7416b0b3d3115f2fc04e723beae3c1e5d8ca42d1e27d27ec8d05e61f6b0bf3d1d5390ea2ac79b99ff6cd9b3c57a
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD549f826ec9f9616dd4bdc60adb295a192
SHA1d548b2ef2dd8dd00eab22678a69449e80dca154b
SHA256a82bd3c02c58381abed46b0dd4758d00c3f5ea4675cbf65ff67f26686f43985a
SHA512006f5b043a950d39d9bb8baea7919ce8a9f8120166fcb2a01fdd1bef1fd1f5db20b4c8141a90b52f67a8a4f51fb83658be28820754c72c7f8ff15889d6193709
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD549f826ec9f9616dd4bdc60adb295a192
SHA1d548b2ef2dd8dd00eab22678a69449e80dca154b
SHA256a82bd3c02c58381abed46b0dd4758d00c3f5ea4675cbf65ff67f26686f43985a
SHA512006f5b043a950d39d9bb8baea7919ce8a9f8120166fcb2a01fdd1bef1fd1f5db20b4c8141a90b52f67a8a4f51fb83658be28820754c72c7f8ff15889d6193709
-
C:\Windows\tasksche.exeFilesize
2.0MB
MD54ea2a08593aca265499ebca88db8d086
SHA15d9427fc8304d771c9518ede2cd32bdb21cc712f
SHA256e288d806266c50e3aaf13fa7fbd587a81f9858e2857200328d493f627f74e891
SHA51276af1d8e74a59bc6ff55e9395251f32f8c7ac7416b0b3d3115f2fc04e723beae3c1e5d8ca42d1e27d27ec8d05e61f6b0bf3d1d5390ea2ac79b99ff6cd9b3c57a
-
memory/1600-54-0x0000000000000000-mapping.dmp
-
memory/1600-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1892-62-0x0000000000000000-mapping.dmp
-
memory/1912-56-0x0000000000000000-mapping.dmp