Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:24
Static task
static1
Behavioral task
behavioral1
Sample
df700ef9aeaee03255fb66a57c2609c7.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
df700ef9aeaee03255fb66a57c2609c7.dll
Resource
win10v2004-20220718-en
General
-
Target
df700ef9aeaee03255fb66a57c2609c7.dll
-
Size
5.0MB
-
MD5
df700ef9aeaee03255fb66a57c2609c7
-
SHA1
7400dbe5c6542ab39b442a8b980eb3927a4b26b9
-
SHA256
0ef3e12c837bd305c71966452aa170f20d4c3756a13308935a984e82bb76cc8b
-
SHA512
6d55f68e014fd00cf4c745c1929748c79132ac40668c52a199a7d8dffbdd589e9d0dad0c44816e918d52b43e0b25c47ce9c4adcc2219e230ee14ec1165a59d0a
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1235) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 1424 mssecsvr.exe 948 mssecsvr.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FB71F0A-7BB4-48D6-ADFB-E1305F2DE7A3}\WpadDecisionReason = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FB71F0A-7BB4-48D6-ADFB-E1305F2DE7A3}\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-10-03-b8-c9-ae mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FB71F0A-7BB4-48D6-ADFB-E1305F2DE7A3} mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-10-03-b8-c9-ae\WpadDecisionReason = "1" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-10-03-b8-c9-ae\WpadDecisionTime = 807a0f33e89bd801 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FB71F0A-7BB4-48D6-ADFB-E1305F2DE7A3}\WpadNetworkName = "Network 3" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FB71F0A-7BB4-48D6-ADFB-E1305F2DE7A3}\be-10-03-b8-c9-ae mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-10-03-b8-c9-ae\WpadDecision = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8FB71F0A-7BB4-48D6-ADFB-E1305F2DE7A3}\WpadDecisionTime = 807a0f33e89bd801 mssecsvr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 308 wrote to memory of 1512 308 rundll32.exe rundll32.exe PID 308 wrote to memory of 1512 308 rundll32.exe rundll32.exe PID 308 wrote to memory of 1512 308 rundll32.exe rundll32.exe PID 308 wrote to memory of 1512 308 rundll32.exe rundll32.exe PID 308 wrote to memory of 1512 308 rundll32.exe rundll32.exe PID 308 wrote to memory of 1512 308 rundll32.exe rundll32.exe PID 308 wrote to memory of 1512 308 rundll32.exe rundll32.exe PID 1512 wrote to memory of 1424 1512 rundll32.exe mssecsvr.exe PID 1512 wrote to memory of 1424 1512 rundll32.exe mssecsvr.exe PID 1512 wrote to memory of 1424 1512 rundll32.exe mssecsvr.exe PID 1512 wrote to memory of 1424 1512 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df700ef9aeaee03255fb66a57c2609c7.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df700ef9aeaee03255fb66a57c2609c7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1424
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:948
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
2.2MB
MD55d0f350460081add5700df70e7e1646e
SHA1eac3fe1e24fffec1c263127f91e20a738960129e
SHA256f229f1a829852b1a49d7a9e9d620721824deeca6f27d0a2963c4058c8d6bc0a6
SHA512c4655fcad6e65aea581b7e80248f57f092d7c2cb0e8dbb9befd73185f2de8fcfa8dddc1eb56042e1f32bb3f56ebe7464ce0ce681e7b497ebaaa29cd8e71a1931
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD55d0f350460081add5700df70e7e1646e
SHA1eac3fe1e24fffec1c263127f91e20a738960129e
SHA256f229f1a829852b1a49d7a9e9d620721824deeca6f27d0a2963c4058c8d6bc0a6
SHA512c4655fcad6e65aea581b7e80248f57f092d7c2cb0e8dbb9befd73185f2de8fcfa8dddc1eb56042e1f32bb3f56ebe7464ce0ce681e7b497ebaaa29cd8e71a1931
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD55d0f350460081add5700df70e7e1646e
SHA1eac3fe1e24fffec1c263127f91e20a738960129e
SHA256f229f1a829852b1a49d7a9e9d620721824deeca6f27d0a2963c4058c8d6bc0a6
SHA512c4655fcad6e65aea581b7e80248f57f092d7c2cb0e8dbb9befd73185f2de8fcfa8dddc1eb56042e1f32bb3f56ebe7464ce0ce681e7b497ebaaa29cd8e71a1931
-
memory/1424-56-0x0000000000000000-mapping.dmp
-
memory/1512-54-0x0000000000000000-mapping.dmp
-
memory/1512-55-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB