Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
cab74b35aa582da53c621a442ec5ee33.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
cab74b35aa582da53c621a442ec5ee33.dll
Resource
win10v2004-20220718-en
General
-
Target
cab74b35aa582da53c621a442ec5ee33.dll
-
Size
5.0MB
-
MD5
cab74b35aa582da53c621a442ec5ee33
-
SHA1
87e97ce7279aaff6922972461d191145faeb146b
-
SHA256
c9e8c8010647474018aa1d292410ba890c078b76ae463dc930e193ebce74f0f3
-
SHA512
4510d367e4d32a74ce5e7651d5a8e72729a0f0e3e1aabdcc05630625c1e4e49f53745c2082a7336ecbd63cc9501f6577ec1e49f1a2931e59cc9e67c17150b3e8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1295) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1712 mssecsvc.exe 804 mssecsvc.exe 1508 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF3AD9-38FC-4FD0-80CD-1D1125A655A4} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF3AD9-38FC-4FD0-80CD-1D1125A655A4}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF3AD9-38FC-4FD0-80CD-1D1125A655A4}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0106000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF3AD9-38FC-4FD0-80CD-1D1125A655A4}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-aa-4e-dd-1d-f6 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-aa-4e-dd-1d-f6\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-aa-4e-dd-1d-f6\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-aa-4e-dd-1d-f6\WpadDecisionTime = c05213ffd79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF3AD9-38FC-4FD0-80CD-1D1125A655A4}\WpadDecisionTime = c05213ffd79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{05FF3AD9-38FC-4FD0-80CD-1D1125A655A4}\d6-aa-4e-dd-1d-f6 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1108 wrote to memory of 900 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 900 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 900 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 900 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 900 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 900 1108 rundll32.exe rundll32.exe PID 1108 wrote to memory of 900 1108 rundll32.exe rundll32.exe PID 900 wrote to memory of 1712 900 rundll32.exe mssecsvc.exe PID 900 wrote to memory of 1712 900 rundll32.exe mssecsvc.exe PID 900 wrote to memory of 1712 900 rundll32.exe mssecsvc.exe PID 900 wrote to memory of 1712 900 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cab74b35aa582da53c621a442ec5ee33.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cab74b35aa582da53c621a442ec5ee33.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:900 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1712 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1508
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD53c755b03e9e9fec0cc49f41f782537f2
SHA1846730de455b9970f49885894617579e774becb7
SHA2565425fe5ac1b27db1ece0a8caac949a45529019e7ebbd95451a0a0c7e2517ad83
SHA51246921fd8c68693713f7f75e810c0fdbc78e0023f3b34bddc82746322f42e45882e51f29862ada90ce240d8cd6255e8d2ebb43059cd3e8bf329bf312813f7b066
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD53c755b03e9e9fec0cc49f41f782537f2
SHA1846730de455b9970f49885894617579e774becb7
SHA2565425fe5ac1b27db1ece0a8caac949a45529019e7ebbd95451a0a0c7e2517ad83
SHA51246921fd8c68693713f7f75e810c0fdbc78e0023f3b34bddc82746322f42e45882e51f29862ada90ce240d8cd6255e8d2ebb43059cd3e8bf329bf312813f7b066
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD53c755b03e9e9fec0cc49f41f782537f2
SHA1846730de455b9970f49885894617579e774becb7
SHA2565425fe5ac1b27db1ece0a8caac949a45529019e7ebbd95451a0a0c7e2517ad83
SHA51246921fd8c68693713f7f75e810c0fdbc78e0023f3b34bddc82746322f42e45882e51f29862ada90ce240d8cd6255e8d2ebb43059cd3e8bf329bf312813f7b066
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD531c9b44f83f41b723af7b344e42b83a4
SHA12598d6f7706571557ca690570e47a05ac49ab6fe
SHA2567727a7815bf9d9f91792ebb5d1197350452843ed94c06bfd4e24315d17ef4b04
SHA5128746b813b3bd74b6f07d0b538c9a50551d9923ef712092dc7a8e1bb6ddf594f6aa477628cf12b051e71f322216b948922195d678ca3fc5d2a59913db54791d0e
-
memory/900-54-0x0000000000000000-mapping.dmp
-
memory/900-55-0x00000000762A1000-0x00000000762A3000-memory.dmpFilesize
8KB
-
memory/1712-56-0x0000000000000000-mapping.dmp