Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:57
Static task
static1
Behavioral task
behavioral1
Sample
e2af16636d4c528ef5a01e92dc1ca424.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
e2af16636d4c528ef5a01e92dc1ca424.dll
Resource
win10v2004-20220718-en
General
-
Target
e2af16636d4c528ef5a01e92dc1ca424.dll
-
Size
5.0MB
-
MD5
e2af16636d4c528ef5a01e92dc1ca424
-
SHA1
3bfeae70695a880834d2e820f38ea77fa645a80a
-
SHA256
f3c704016a36ada2ded03ba9e37e253846ba473bc27421ae8d65b0f118176bfb
-
SHA512
23a74d5567839745af7c0cf0032c7097353409bfd75bd4de4a25d06c14fcad86e8409c53071e369c9d470afeb742c773a691d1ddbd517cb0b2d11f851e687db9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1132) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2012 mssecsvc.exe 980 mssecsvc.exe 1640 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\WpadDecisionTime = a022aea9d39bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-26-67-67-fb-e5 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\2e-26-67-67-fb-e5 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-26-67-67-fb-e5\WpadDecisionTime = a022aea9d39bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-26-67-67-fb-e5\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42F4AA43-5DAA-4852-8984-E8353ECD8AE0}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-26-67-67-fb-e5\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1812 wrote to memory of 1984 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1984 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1984 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1984 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1984 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1984 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 1984 1812 rundll32.exe rundll32.exe PID 1984 wrote to memory of 2012 1984 rundll32.exe mssecsvc.exe PID 1984 wrote to memory of 2012 1984 rundll32.exe mssecsvc.exe PID 1984 wrote to memory of 2012 1984 rundll32.exe mssecsvc.exe PID 1984 wrote to memory of 2012 1984 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2af16636d4c528ef5a01e92dc1ca424.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e2af16636d4c528ef5a01e92dc1ca424.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2012 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1640
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:980
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5fa3e71fea502ae31a70b42f7dfe03925
SHA1b4793e64be76ec9696c5a6b4dfae760ca56eec4c
SHA256f3076a1b875dd97602eefc2f1b4f7b1b3ffad50d5f1e65dbb1911892d7dbbc37
SHA51221e5920fcce63baf74df0c671ac1c837a254aa1f9b584dd72b62504b38a06e7aafb227f05eb203706589e0b32daf25cf8363c554c1d4414000ec1ab06fa878bb
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fa3e71fea502ae31a70b42f7dfe03925
SHA1b4793e64be76ec9696c5a6b4dfae760ca56eec4c
SHA256f3076a1b875dd97602eefc2f1b4f7b1b3ffad50d5f1e65dbb1911892d7dbbc37
SHA51221e5920fcce63baf74df0c671ac1c837a254aa1f9b584dd72b62504b38a06e7aafb227f05eb203706589e0b32daf25cf8363c554c1d4414000ec1ab06fa878bb
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fa3e71fea502ae31a70b42f7dfe03925
SHA1b4793e64be76ec9696c5a6b4dfae760ca56eec4c
SHA256f3076a1b875dd97602eefc2f1b4f7b1b3ffad50d5f1e65dbb1911892d7dbbc37
SHA51221e5920fcce63baf74df0c671ac1c837a254aa1f9b584dd72b62504b38a06e7aafb227f05eb203706589e0b32daf25cf8363c554c1d4414000ec1ab06fa878bb
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c117e1fc19224659a86d3c0b7fb2eab3
SHA1e9f7572de561301a67a4097e531fbee3f978db0b
SHA2563a24c2c2ee15a3bd1b58101baf09e00591fadb827a951c0ed3287de26216f0b0
SHA512f6b8dcb0f472a1f36eaa72ac91a2ef50000c5f0b49e3250df26bd41be33cd06e7ebff765c034a760319baeca2f22991afd7dc701377134dd38fd4da7feb9bb99
-
memory/1984-54-0x0000000000000000-mapping.dmp
-
memory/1984-55-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/2012-56-0x0000000000000000-mapping.dmp