Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:39
Static task
static1
Behavioral task
behavioral1
Sample
a49f1950d6e7ba759eb5b582fd93615e.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
a49f1950d6e7ba759eb5b582fd93615e.dll
Resource
win10v2004-20220718-en
General
-
Target
a49f1950d6e7ba759eb5b582fd93615e.dll
-
Size
5.0MB
-
MD5
a49f1950d6e7ba759eb5b582fd93615e
-
SHA1
f2046042d74f5ce2f9c53231d75ff89ac93a39aa
-
SHA256
74f4a8e66cd56e53ca9a343cb189fab9af688f3840a20faa7503f3d37e29f482
-
SHA512
24ffb245dfb168cd7675ab9f24f0a58183e9e2107917f1e82eb1720f69f5ea0e9221a271e7335c918903dd2fe6443cc44874ea9d361660819f42fa9c8f5c1993
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1412) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1116 mssecsvc.exe 1108 mssecsvc.exe 1552 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-26-67-67-fb-e5\WpadDecisionTime = 80ed8e86d99bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\WpadDecisionTime = 80ed8e86d99bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-26-67-67-fb-e5\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-26-67-67-fb-e5 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\2e-26-67-67-fb-e5 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-26-67-67-fb-e5\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1212 wrote to memory of 988 1212 rundll32.exe rundll32.exe PID 1212 wrote to memory of 988 1212 rundll32.exe rundll32.exe PID 1212 wrote to memory of 988 1212 rundll32.exe rundll32.exe PID 1212 wrote to memory of 988 1212 rundll32.exe rundll32.exe PID 1212 wrote to memory of 988 1212 rundll32.exe rundll32.exe PID 1212 wrote to memory of 988 1212 rundll32.exe rundll32.exe PID 1212 wrote to memory of 988 1212 rundll32.exe rundll32.exe PID 988 wrote to memory of 1116 988 rundll32.exe mssecsvc.exe PID 988 wrote to memory of 1116 988 rundll32.exe mssecsvc.exe PID 988 wrote to memory of 1116 988 rundll32.exe mssecsvc.exe PID 988 wrote to memory of 1116 988 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a49f1950d6e7ba759eb5b582fd93615e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a49f1950d6e7ba759eb5b582fd93615e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:988 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1116 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1552
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54f2082112f45afcef2d9fd4fa5673e58
SHA15f926f458f621394c1cfce65d72d34a32846dd50
SHA2561a6f8a619fde4602f18002572865b5e8b4afad43c32a49e6d0a409739cdeab79
SHA512a34e897d7200bf90793bb70de0303ea464f22d22eb842040f2cf7e74078502d33067b69a87e82205ab751ed5c2cd4390715c35202c9dba9de76f61187ec1acf7
-
Filesize
3.6MB
MD54f2082112f45afcef2d9fd4fa5673e58
SHA15f926f458f621394c1cfce65d72d34a32846dd50
SHA2561a6f8a619fde4602f18002572865b5e8b4afad43c32a49e6d0a409739cdeab79
SHA512a34e897d7200bf90793bb70de0303ea464f22d22eb842040f2cf7e74078502d33067b69a87e82205ab751ed5c2cd4390715c35202c9dba9de76f61187ec1acf7
-
Filesize
3.6MB
MD54f2082112f45afcef2d9fd4fa5673e58
SHA15f926f458f621394c1cfce65d72d34a32846dd50
SHA2561a6f8a619fde4602f18002572865b5e8b4afad43c32a49e6d0a409739cdeab79
SHA512a34e897d7200bf90793bb70de0303ea464f22d22eb842040f2cf7e74078502d33067b69a87e82205ab751ed5c2cd4390715c35202c9dba9de76f61187ec1acf7
-
Filesize
3.4MB
MD5a35f182e6d53b2961fee59261746f726
SHA151cd13eff08eca6a84e43717a7b09eff658cc437
SHA256ca61efd76013c26beb9c1c51ecb105f990199709a3709a0413620f924b1c1aaf
SHA5129e840a3599d0dc63e16b037b431b0e9aa3649fa1966b75bc9f0c890b89022390b4312f00a194e5b99a9751b883f2e9e6c6896fc57f520ddc7661791be850e060