Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:09
Static task
static1
Behavioral task
behavioral1
Sample
43b8bb691f84c4ec8b4030f251681bcb.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
43b8bb691f84c4ec8b4030f251681bcb.dll
Resource
win10v2004-20220718-en
General
-
Target
43b8bb691f84c4ec8b4030f251681bcb.dll
-
Size
5.0MB
-
MD5
43b8bb691f84c4ec8b4030f251681bcb
-
SHA1
088dcb05085bd3228f55c0feb15d5ace31ca4ad8
-
SHA256
1616ac5ea843d3c16cc332eef4b910fddf5cab1c9f6e98fe17a87bbf8f3c15ce
-
SHA512
60f904f3dfceb48ae2479f4866d55e575091f70de622c78a1e15fa4fb5b293e5951822c936f0dc867c92472aba26a74d6c437299be7854badfb4d0030018887b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1271) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1656 mssecsvc.exe 340 mssecsvc.exe 560 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecisionTime = c0740e1ae69bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\9a-07-c5-c5-06-77 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecisionTime = c0740e1ae69bd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-07-c5-c5-06-77\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB3BA126-FD83-479D-B737-6BB85B0C2856}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1948 wrote to memory of 1752 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1752 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1752 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1752 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1752 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1752 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1752 1948 rundll32.exe rundll32.exe PID 1752 wrote to memory of 1656 1752 rundll32.exe mssecsvc.exe PID 1752 wrote to memory of 1656 1752 rundll32.exe mssecsvc.exe PID 1752 wrote to memory of 1656 1752 rundll32.exe mssecsvc.exe PID 1752 wrote to memory of 1656 1752 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43b8bb691f84c4ec8b4030f251681bcb.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\43b8bb691f84c4ec8b4030f251681bcb.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1656 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:560
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD50a5223e227654339ebcc279a17b57ad0
SHA154964ea82b546bca05219fba0c359480f4e16e47
SHA2569e7ec63682777109e85948cea01bd2eeb708541ec41c86055faef9d29da3b32b
SHA512f583bd7b4f266653a76b329f490ddf9fab1f42edc6e6493263cffad2de518ffda660306294c689dda6ced03a182b0aef58821553b0a26b3b89e507d5bebba57d
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50a5223e227654339ebcc279a17b57ad0
SHA154964ea82b546bca05219fba0c359480f4e16e47
SHA2569e7ec63682777109e85948cea01bd2eeb708541ec41c86055faef9d29da3b32b
SHA512f583bd7b4f266653a76b329f490ddf9fab1f42edc6e6493263cffad2de518ffda660306294c689dda6ced03a182b0aef58821553b0a26b3b89e507d5bebba57d
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50a5223e227654339ebcc279a17b57ad0
SHA154964ea82b546bca05219fba0c359480f4e16e47
SHA2569e7ec63682777109e85948cea01bd2eeb708541ec41c86055faef9d29da3b32b
SHA512f583bd7b4f266653a76b329f490ddf9fab1f42edc6e6493263cffad2de518ffda660306294c689dda6ced03a182b0aef58821553b0a26b3b89e507d5bebba57d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50fca8a8f7a034f96c28820ee6f9dcdc8
SHA1f3e7fd687ba1522067bdae885ea9550c02413cec
SHA25626a87ddd5c320a71b2326f8ecd20caa0065cd055825c8df6c0e49a91efaa6a47
SHA51209899b15e17004ca7ea1f3e3500d98588491c4c68c98f1faee599c81d6424cfe5ca580889a9ed5d69c004c475a98bfc4770123af1dd0e601dad4f0915accb894
-
memory/1656-56-0x0000000000000000-mapping.dmp
-
memory/1752-54-0x0000000000000000-mapping.dmp
-
memory/1752-55-0x0000000075301000-0x0000000075303000-memory.dmpFilesize
8KB