Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:23
Static task
static1
Behavioral task
behavioral1
Sample
4c35693cadb792e90bdddc8380b842c5.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
4c35693cadb792e90bdddc8380b842c5.dll
Resource
win10v2004-20220718-en
General
-
Target
4c35693cadb792e90bdddc8380b842c5.dll
-
Size
5.0MB
-
MD5
4c35693cadb792e90bdddc8380b842c5
-
SHA1
746a147d80ad18a14675cd3ac6ab36732b005993
-
SHA256
ec29f4db6e43c8bfad91f4d2910c6db42b975d33f7a51c69ea9e0dc9d400584f
-
SHA512
74ae721343082477fc09ef865d595c2150b085bea7e935e52587946da0ac0f54296a85cacdd37c9b70518668ffaf55012e8f21feade02a433363217d92544630
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1306) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1948 mssecsvc.exe 928 mssecsvc.exe 908 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1588 908 WerFault.exe tasksche.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1F0D594-F7A6-447B-8499-4051A8242B9A}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1F0D594-F7A6-447B-8499-4051A8242B9A}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-a3-ff-fd-78-bb mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-a3-ff-fd-78-bb\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-a3-ff-fd-78-bb\WpadDecisionTime = 1074844ad79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1F0D594-F7A6-447B-8499-4051A8242B9A}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0104000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1F0D594-F7A6-447B-8499-4051A8242B9A} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1F0D594-F7A6-447B-8499-4051A8242B9A}\WpadDecisionTime = 1074844ad79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1F0D594-F7A6-447B-8499-4051A8242B9A}\da-a3-ff-fd-78-bb mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-a3-ff-fd-78-bb\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exetasksche.exedescription pid process target process PID 1944 wrote to memory of 1016 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1016 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1016 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1016 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1016 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1016 1944 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1016 1944 rundll32.exe rundll32.exe PID 1016 wrote to memory of 1948 1016 rundll32.exe mssecsvc.exe PID 1016 wrote to memory of 1948 1016 rundll32.exe mssecsvc.exe PID 1016 wrote to memory of 1948 1016 rundll32.exe mssecsvc.exe PID 1016 wrote to memory of 1948 1016 rundll32.exe mssecsvc.exe PID 1948 wrote to memory of 908 1948 mssecsvc.exe tasksche.exe PID 1948 wrote to memory of 908 1948 mssecsvc.exe tasksche.exe PID 1948 wrote to memory of 908 1948 mssecsvc.exe tasksche.exe PID 1948 wrote to memory of 908 1948 mssecsvc.exe tasksche.exe PID 908 wrote to memory of 1588 908 tasksche.exe WerFault.exe PID 908 wrote to memory of 1588 908 tasksche.exe WerFault.exe PID 908 wrote to memory of 1588 908 tasksche.exe WerFault.exe PID 908 wrote to memory of 1588 908 tasksche.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c35693cadb792e90bdddc8380b842c5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4c35693cadb792e90bdddc8380b842c5.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 365⤵
- Program crash
PID:1588
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD54e9e7d540c73d79a641299c02154a342
SHA1259a5feb4e5032d32474042aad4e3444da12df1d
SHA25652f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5
SHA512770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54e9e7d540c73d79a641299c02154a342
SHA1259a5feb4e5032d32474042aad4e3444da12df1d
SHA25652f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5
SHA512770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54e9e7d540c73d79a641299c02154a342
SHA1259a5feb4e5032d32474042aad4e3444da12df1d
SHA25652f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5
SHA512770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD505b62993be8f2411988da09e828ea3a9
SHA1a211ce025d3f266f8e60dbb5985d6b6bc6fbd795
SHA256e1e1d0a7b950fee4294a3e8b8c944e215d9c9cd1aa718cc87d48c2bc2f71d149
SHA5120fd8b0d191e1ef44da171bf261532394a87d5c766c49979f5061bd68d42452e741f9c6ae3dad6ff301db1c5069e533e63f6a976398c782da79b194f8da5e5559
-
memory/908-62-0x0000000000000000-mapping.dmp
-
memory/1016-54-0x0000000000000000-mapping.dmp
-
memory/1016-55-0x0000000076081000-0x0000000076083000-memory.dmpFilesize
8KB
-
memory/1588-64-0x0000000000000000-mapping.dmp
-
memory/1948-56-0x0000000000000000-mapping.dmp