Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:17
Static task
static1
Behavioral task
behavioral1
Sample
769ec37bc4de51581ea222ef38d4f752.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
769ec37bc4de51581ea222ef38d4f752.dll
Resource
win10v2004-20220414-en
General
-
Target
769ec37bc4de51581ea222ef38d4f752.dll
-
Size
5.0MB
-
MD5
769ec37bc4de51581ea222ef38d4f752
-
SHA1
3db70422149469e299bf15a45bf4c6bc97a7031c
-
SHA256
0ca55fe01cf52696f424100ee6de4e8dd262ce1c83257d22bc3edc42c30fb944
-
SHA512
695c79e1e0bef5395f78928b4275d927d0c3570554f976743235ca93299bc615a5a6408cfc68b19ad9ff6b8330bfef0f21221d048c2d210392796b267a022a24
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (989) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1612 mssecsvc.exe 1664 mssecsvc.exe 1504 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\a6-6b-26-6b-84-8e mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecisionTime = 40039a47e79bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecisionTime = 40039a47e79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1196 wrote to memory of 1612 1196 rundll32.exe mssecsvc.exe PID 1196 wrote to memory of 1612 1196 rundll32.exe mssecsvc.exe PID 1196 wrote to memory of 1612 1196 rundll32.exe mssecsvc.exe PID 1196 wrote to memory of 1612 1196 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\769ec37bc4de51581ea222ef38d4f752.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\769ec37bc4de51581ea222ef38d4f752.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1612 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1504
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1664
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5938c72f8e4f17aacd8399294eef5ccb6
SHA12598c7b3f197f50abb4a337facedcce7cde40e31
SHA256909994ae47c3512b079e50e2959afe3ffe36f698b5a8f7e82aee8b4fcf5474cc
SHA5125cb83912c5780bfdb30b16cdbdb0fbe35c5ebac3db959d51a1040431aeb5c04d9866116b3b29f8422f37e98283a98b3a9969cef3828ff992f66451c62cac78db
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5938c72f8e4f17aacd8399294eef5ccb6
SHA12598c7b3f197f50abb4a337facedcce7cde40e31
SHA256909994ae47c3512b079e50e2959afe3ffe36f698b5a8f7e82aee8b4fcf5474cc
SHA5125cb83912c5780bfdb30b16cdbdb0fbe35c5ebac3db959d51a1040431aeb5c04d9866116b3b29f8422f37e98283a98b3a9969cef3828ff992f66451c62cac78db
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5938c72f8e4f17aacd8399294eef5ccb6
SHA12598c7b3f197f50abb4a337facedcce7cde40e31
SHA256909994ae47c3512b079e50e2959afe3ffe36f698b5a8f7e82aee8b4fcf5474cc
SHA5125cb83912c5780bfdb30b16cdbdb0fbe35c5ebac3db959d51a1040431aeb5c04d9866116b3b29f8422f37e98283a98b3a9969cef3828ff992f66451c62cac78db
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD594ed322315708f5a79d5ecbd0171f94e
SHA1af6138631fa0692742171530af205d07fbca3e78
SHA256de9af8502448d1b9f2fec43def7cda8b72f7b03571a162237850715e12ea97c2
SHA512c0746b2633eccabc46350d6e336bc25c755d1e478bc0154de8f1decc9cb028eb6a286351ec17668d267818a8fb1959c3d16d875e42f54daeeabde88e9a4382e3
-
memory/1196-54-0x0000000000000000-mapping.dmp
-
memory/1196-55-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1612-56-0x0000000000000000-mapping.dmp