Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:18
Static task
static1
Behavioral task
behavioral1
Sample
7cf21cdad3e9afe55c93277c8a6bdf05.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
7cf21cdad3e9afe55c93277c8a6bdf05.dll
Resource
win10v2004-20220718-en
General
-
Target
7cf21cdad3e9afe55c93277c8a6bdf05.dll
-
Size
5.0MB
-
MD5
7cf21cdad3e9afe55c93277c8a6bdf05
-
SHA1
62b524d643680feb04e3b779236852f05204b0b5
-
SHA256
dc91b3c7e34025c093ace464aea3c2ce961c90032a61d8b861f35423b2784fcb
-
SHA512
159cb8929ca242dd03bd40c6041c0f2554ddf18c6e4442c70e7b2c906dda5590482867b3673c1550c57530581c30091431d44864a02f4b9dc4c9aa371480d3d9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1912 mssecsvc.exe 1720 mssecsvc.exe 832 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\WpadDecisionTime = 1056d15be79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\26-23-c3-8c-41-59 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-23-c3-8c-41-59\WpadDecisionTime = 1056d15be79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-23-c3-8c-41-59\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53AD3FDE-7298-4E50-9853-0162DA26E8F8}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-23-c3-8c-41-59 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-23-c3-8c-41-59\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 752 wrote to memory of 336 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 336 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 336 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 336 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 336 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 336 752 rundll32.exe rundll32.exe PID 752 wrote to memory of 336 752 rundll32.exe rundll32.exe PID 336 wrote to memory of 1912 336 rundll32.exe mssecsvc.exe PID 336 wrote to memory of 1912 336 rundll32.exe mssecsvc.exe PID 336 wrote to memory of 1912 336 rundll32.exe mssecsvc.exe PID 336 wrote to memory of 1912 336 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7cf21cdad3e9afe55c93277c8a6bdf05.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7cf21cdad3e9afe55c93277c8a6bdf05.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5487517773cf300fa7aec3e686fb5f239
SHA115bde3458a80106ce367774ad51f210d7a83ed16
SHA256c16ea664482d60d4709e7adf66c20a1bd0e7770c2b16f1c7b4eccb9802ebe8c3
SHA512da5a8cd79586a0acb3906be6e28655f95c1484aa49810ef9faaee6d39d2c67630c3861b4aaad43c483fa9035fb8f8a20a94751ac065928cb578eca3cdbf59a68
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5487517773cf300fa7aec3e686fb5f239
SHA115bde3458a80106ce367774ad51f210d7a83ed16
SHA256c16ea664482d60d4709e7adf66c20a1bd0e7770c2b16f1c7b4eccb9802ebe8c3
SHA512da5a8cd79586a0acb3906be6e28655f95c1484aa49810ef9faaee6d39d2c67630c3861b4aaad43c483fa9035fb8f8a20a94751ac065928cb578eca3cdbf59a68
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5487517773cf300fa7aec3e686fb5f239
SHA115bde3458a80106ce367774ad51f210d7a83ed16
SHA256c16ea664482d60d4709e7adf66c20a1bd0e7770c2b16f1c7b4eccb9802ebe8c3
SHA512da5a8cd79586a0acb3906be6e28655f95c1484aa49810ef9faaee6d39d2c67630c3861b4aaad43c483fa9035fb8f8a20a94751ac065928cb578eca3cdbf59a68
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD58728773b11617f5823f8bd3824bdd40d
SHA194e25218bbc2c748797d22d610ecc08f3b03d94d
SHA256e39123f4e7c1b2cbc62e1a79d0b396c48f894c6f82f978a519cf23d77c0c77c1
SHA5129f93aebce8d2502ac0591f0b0f2fe49924cd0a2fe04faace50931b46f5901c570f313e9b4a8136ec169a1cd494f05a0bd1db280a8b7e4763ea8bb269be1a658a
-
memory/336-54-0x0000000000000000-mapping.dmp
-
memory/336-55-0x0000000074D61000-0x0000000074D63000-memory.dmpFilesize
8KB
-
memory/1912-56-0x0000000000000000-mapping.dmp