Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:37
Static task
static1
Behavioral task
behavioral1
Sample
fbc99e4af741a1ede3251a0b2b061ab1.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
fbc99e4af741a1ede3251a0b2b061ab1.dll
Resource
win10v2004-20220414-en
General
-
Target
fbc99e4af741a1ede3251a0b2b061ab1.dll
-
Size
5.0MB
-
MD5
fbc99e4af741a1ede3251a0b2b061ab1
-
SHA1
706e06855ab84381eaeaaa23fb4882b45ea09c78
-
SHA256
00a87d1b3e33924891dcc5bed69a7a507fe55ee7058ab1d749941eafa71b31cc
-
SHA512
1094e0f8c768fedd9593acbb607b69c79fbfe7b0ddb8366bc89d1896b0e76fa9724d2757cc063d77f8dd6f3d3583c0ce2bf266d1675c931ab2debb498627ba67
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1820 mssecsvc.exe 940 mssecsvc.exe 1696 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecisionTime = 20fdb541d99bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\4e-00-ff-75-0c-a4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecisionTime = 20fdb541d99bd801 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1820 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 1820 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 1820 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 1820 1532 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fbc99e4af741a1ede3251a0b2b061ab1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fbc99e4af741a1ede3251a0b2b061ab1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1820 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1696
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5c5cd397504bd08178a5799da3c7b7b21
SHA10a9122944b1053acfbc7871551422755c482a93e
SHA256a0b9618ec5b524b698c2055a27183cb05d769414bb8475f857818508b82aa509
SHA512ae79fc8d6d30089f66c1a127f85fd27c075506bee778d3c315a8ea20c91023bb559c1c50a3a6412206326b8e7cb160bb6f61034aa9c0aa7c4da6fd8446d5a43b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c5cd397504bd08178a5799da3c7b7b21
SHA10a9122944b1053acfbc7871551422755c482a93e
SHA256a0b9618ec5b524b698c2055a27183cb05d769414bb8475f857818508b82aa509
SHA512ae79fc8d6d30089f66c1a127f85fd27c075506bee778d3c315a8ea20c91023bb559c1c50a3a6412206326b8e7cb160bb6f61034aa9c0aa7c4da6fd8446d5a43b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c5cd397504bd08178a5799da3c7b7b21
SHA10a9122944b1053acfbc7871551422755c482a93e
SHA256a0b9618ec5b524b698c2055a27183cb05d769414bb8475f857818508b82aa509
SHA512ae79fc8d6d30089f66c1a127f85fd27c075506bee778d3c315a8ea20c91023bb559c1c50a3a6412206326b8e7cb160bb6f61034aa9c0aa7c4da6fd8446d5a43b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a613709e471c6d65093c3857167234bc
SHA13e21a9325f14a6ec2d9e0df9b28315ab139e288f
SHA2569f47adad2be191deb99e8419a4659046d099e1646781884e123eb96b5e4a3ab0
SHA51285e758a3059449ee9ad5db9b2f9c2245ffc505dc760a91c59cf7eaebe08732f873ba43b2c9ae17a524143a6edaa258c7b25c075573a0fe1d469be76c5b661afb
-
memory/1532-54-0x0000000000000000-mapping.dmp
-
memory/1532-55-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB
-
memory/1820-56-0x0000000000000000-mapping.dmp