Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:40
Static task
static1
Behavioral task
behavioral1
Sample
962e412d3dfb5757ca58b9666cd5a549.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
962e412d3dfb5757ca58b9666cd5a549.dll
Resource
win10v2004-20220718-en
General
-
Target
962e412d3dfb5757ca58b9666cd5a549.dll
-
Size
5.0MB
-
MD5
962e412d3dfb5757ca58b9666cd5a549
-
SHA1
1d3a1039fe3f88f5fcf848ce27770b117f5bb3cd
-
SHA256
0e3bf0a2ec32d05bcc15966c16ec51684d98102fd06ca16e01a3b93391fb9243
-
SHA512
21ae09efd9d425d4fa70724888b4d4940315eda36fcf527e239c2b2c5bf699844d2230f75da3438ee75044a99290de66e0a6d9282273e82b0b13acd27a9b3216
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (973) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1412 mssecsvc.exe 580 mssecsvc.exe 816 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F5D48090-4AB2-4B59-8ADD-0CD1334F56A0}\WpadDecisionTime = b018861ce29bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F5D48090-4AB2-4B59-8ADD-0CD1334F56A0}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F5D48090-4AB2-4B59-8ADD-0CD1334F56A0} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-7e-96-87-bf-da\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F5D48090-4AB2-4B59-8ADD-0CD1334F56A0}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F5D48090-4AB2-4B59-8ADD-0CD1334F56A0}\e6-7e-96-87-bf-da mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-7e-96-87-bf-da\WpadDecisionTime = b018861ce29bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-7e-96-87-bf-da mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-7e-96-87-bf-da\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F5D48090-4AB2-4B59-8ADD-0CD1334F56A0}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1416 wrote to memory of 1772 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1772 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1772 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1772 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1772 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1772 1416 rundll32.exe rundll32.exe PID 1416 wrote to memory of 1772 1416 rundll32.exe rundll32.exe PID 1772 wrote to memory of 1412 1772 rundll32.exe mssecsvc.exe PID 1772 wrote to memory of 1412 1772 rundll32.exe mssecsvc.exe PID 1772 wrote to memory of 1412 1772 rundll32.exe mssecsvc.exe PID 1772 wrote to memory of 1412 1772 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\962e412d3dfb5757ca58b9666cd5a549.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\962e412d3dfb5757ca58b9666cd5a549.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1412 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:816
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:580
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD50d7d93ef42417f5b9a6bfb5af422860b
SHA11249facb5e70626a09cd5f2391f47762a8844d9d
SHA256710063f297091936cc899c151ad169a05c12d8cf7470f75083f727e70164ece6
SHA5120c6c84a3aa023ca842d58051512f669be28fb3a15eb91279e997928e5f8dbd5beb31cbfb64d15cbdc92bae81b821b4e06e4ef3ec675635bd4e5c02cb3bfd4022
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50d7d93ef42417f5b9a6bfb5af422860b
SHA11249facb5e70626a09cd5f2391f47762a8844d9d
SHA256710063f297091936cc899c151ad169a05c12d8cf7470f75083f727e70164ece6
SHA5120c6c84a3aa023ca842d58051512f669be28fb3a15eb91279e997928e5f8dbd5beb31cbfb64d15cbdc92bae81b821b4e06e4ef3ec675635bd4e5c02cb3bfd4022
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50d7d93ef42417f5b9a6bfb5af422860b
SHA11249facb5e70626a09cd5f2391f47762a8844d9d
SHA256710063f297091936cc899c151ad169a05c12d8cf7470f75083f727e70164ece6
SHA5120c6c84a3aa023ca842d58051512f669be28fb3a15eb91279e997928e5f8dbd5beb31cbfb64d15cbdc92bae81b821b4e06e4ef3ec675635bd4e5c02cb3bfd4022
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c6537995838f255722edc6824ea54e54
SHA124bd752260770bde897b053984a9cfff9e7bb757
SHA256ab5a9c6e8608d61385b0ae8e620d3636d4ac774207159b67084859410fd591c1
SHA5124c6d275ac28fec440cbe024c0d6f8c721be9c4740ce9f3a32c04926e09ef2e15d7b3cca4acc0b045d1fb99f16c4db1bb26940ef6b48beee5882bd07b1b8889f2
-
memory/1412-56-0x0000000000000000-mapping.dmp
-
memory/1772-54-0x0000000000000000-mapping.dmp
-
memory/1772-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB