wannacry | 6448d228f342fb138a747f8fa317b004553f36f83fdd1b200baf80b7b9d9f5da

General

Target

2de468a78a23789fd3ae2715b08b919a.dll
Size

5.0MB
MD5

2de468a78a23789fd3ae2715b08b919a
SHA1

b552f34a006c309706ea1d4294f7e75a078beda3
SHA256

6448d228f342fb138a747f8fa317b004553f36f83fdd1b200baf80b7b9d9f5da
SHA512

83a622c6b4c59becffa9d3306e0a24db9e840f316a4f16ceac6f2294706a987f9fd48d1827560252134e6017f81269eedc2219624e4feb50688053d0e711c529

Score

10^/10

wannacry discovery evasion ransomware worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	mssecsvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1"	mssecsvc.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3202) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1828 mssecsvc.exe
3104 mssecsvc.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3344 1828 WerFault.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
3344	1828	WerFault.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1828 mssecsvc.exe
1828 mssecsvc.exe
3104 mssecsvc.exe
3104 mssecsvc.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

mssecsvc.exe

pid	process
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe
1828	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 1828 mssecsvc.exe
Token: SeDebugPrivilege 3104 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	1828	mssecsvc.exe
Token: SeDebugPrivilege	3104	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1732 wrote to memory of 840	1732	rundll32.exe	rundll32.exe
PID 1732 wrote to memory of 840	1732	rundll32.exe	rundll32.exe
PID 1732 wrote to memory of 840	1732	rundll32.exe	rundll32.exe
PID 840 wrote to memory of 1828	840	rundll32.exe	mssecsvc.exe
PID 840 wrote to memory of 1828	840	rundll32.exe	mssecsvc.exe
PID 840 wrote to memory of 1828	840	rundll32.exe	mssecsvc.exe
PID 1828 wrote to memory of 592	1828	mssecsvc.exe	winlogon.exe
PID 1828 wrote to memory of 592	1828	mssecsvc.exe	winlogon.exe
PID 1828 wrote to memory of 592	1828	mssecsvc.exe	winlogon.exe
PID 1828 wrote to memory of 592	1828	mssecsvc.exe	winlogon.exe
PID 1828 wrote to memory of 592	1828	mssecsvc.exe	winlogon.exe
PID 1828 wrote to memory of 592	1828	mssecsvc.exe	winlogon.exe
PID 1828 wrote to memory of 676	1828	mssecsvc.exe	lsass.exe
PID 1828 wrote to memory of 676	1828	mssecsvc.exe	lsass.exe
PID 1828 wrote to memory of 676	1828	mssecsvc.exe	lsass.exe
PID 1828 wrote to memory of 676	1828	mssecsvc.exe	lsass.exe
PID 1828 wrote to memory of 676	1828	mssecsvc.exe	lsass.exe
PID 1828 wrote to memory of 676	1828	mssecsvc.exe	lsass.exe
PID 1828 wrote to memory of 788	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 788	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 788	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 788	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 788	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 788	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 796	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 796	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 796	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 796	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 796	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 796	1828	mssecsvc.exe	fontdrvhost.exe
PID 1828 wrote to memory of 804	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 804	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 804	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 804	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 804	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 804	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 912	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 912	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 912	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 912	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 912	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 912	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 964	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 964	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 964	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 964	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 964	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 964	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 60	1828	mssecsvc.exe	dwm.exe
PID 1828 wrote to memory of 60	1828	mssecsvc.exe	dwm.exe
PID 1828 wrote to memory of 60	1828	mssecsvc.exe	dwm.exe
PID 1828 wrote to memory of 60	1828	mssecsvc.exe	dwm.exe
PID 1828 wrote to memory of 60	1828	mssecsvc.exe	dwm.exe
PID 1828 wrote to memory of 60	1828	mssecsvc.exe	dwm.exe
PID 1828 wrote to memory of 528	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 528	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 528	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 528	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 528	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 528	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 904	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 904	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 904	1828	mssecsvc.exe	svchost.exe
PID 1828 wrote to memory of 904	1828	mssecsvc.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:592

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:788

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:60

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3348

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3640

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3248

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:4172

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:1840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:2396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1188

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1432

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1976

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5016

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2548

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2de468a78a23789fd3ae2715b08b919a.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2de468a78a23789fd3ae2715b08b919a.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:840

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 1408
5⤵
- Program crash
PID:3344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2136

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4312

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1828 -ip 1828
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
d67ed037dc59a12f853ad3e2022b8aae

SHA1
ef95fd53062ca7288053029903e4e20c4fd87f22

SHA256
6a6f35646216bcaa415983f3e5ab4196e72da131bb70af2ef6191d63f938dcab

SHA512
3441e18099af9cb9612783c125b9bf65786c15b9928c2f128cc2b66100c68afd05e87194d5d36248001845cfaee7bd67dd9c2a4f3595044c96661d8847211497

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d67ed037dc59a12f853ad3e2022b8aae

SHA1
ef95fd53062ca7288053029903e4e20c4fd87f22

SHA256
6a6f35646216bcaa415983f3e5ab4196e72da131bb70af2ef6191d63f938dcab

SHA512
3441e18099af9cb9612783c125b9bf65786c15b9928c2f128cc2b66100c68afd05e87194d5d36248001845cfaee7bd67dd9c2a4f3595044c96661d8847211497

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d67ed037dc59a12f853ad3e2022b8aae

SHA1
ef95fd53062ca7288053029903e4e20c4fd87f22

SHA256
6a6f35646216bcaa415983f3e5ab4196e72da131bb70af2ef6191d63f938dcab

SHA512
3441e18099af9cb9612783c125b9bf65786c15b9928c2f128cc2b66100c68afd05e87194d5d36248001845cfaee7bd67dd9c2a4f3595044c96661d8847211497

Download Submit
memory/840-130-0x0000000000000000-mapping.dmp

Download
memory/1828-131-0x0000000000000000-mapping.dmp

Download
memory/1828-134-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1828-137-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/1828-138-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1828-139-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3104-136-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3104-140-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads