Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:30
Static task
static1
Behavioral task
behavioral1
Sample
073906fb1146a94214c99d3415297b5b.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
073906fb1146a94214c99d3415297b5b.dll
Resource
win10v2004-20220718-en
General
-
Target
073906fb1146a94214c99d3415297b5b.dll
-
Size
5.0MB
-
MD5
073906fb1146a94214c99d3415297b5b
-
SHA1
517e601390f3ecdd41931a96b8196cba424ba805
-
SHA256
fafa7cb85fe7b111bf2484141d8dd4ad763007202b1e78aa7ebdaab3bb121a26
-
SHA512
79f42b6094d4742085c8dba0e554f32d80ec73381d7442669892fc7cea9241c94ea4a0010713f2c901fa6347b228c3a8a60ff300a38c4eff98c379d8cea2e9ab
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1608 mssecsvc.exe 1052 mssecsvc.exe 2000 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\a6-6b-26-6b-84-8e mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecisionTime = 30d31708e99bd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecisionTime = 30d31708e99bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1156 wrote to memory of 852 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 852 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 852 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 852 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 852 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 852 1156 rundll32.exe rundll32.exe PID 1156 wrote to memory of 852 1156 rundll32.exe rundll32.exe PID 852 wrote to memory of 1608 852 rundll32.exe mssecsvc.exe PID 852 wrote to memory of 1608 852 rundll32.exe mssecsvc.exe PID 852 wrote to memory of 1608 852 rundll32.exe mssecsvc.exe PID 852 wrote to memory of 1608 852 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\073906fb1146a94214c99d3415297b5b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\073906fb1146a94214c99d3415297b5b.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1608 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2000
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1052
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD56e62c9ba8c9b866018f43687cc9d82f7
SHA1b92d863de68be1fa1610d7b36ebaaee07177d25c
SHA256d7c2aa2180b52adff9b3426d2fdc06403e48d964d2d27cf717487062b7956a89
SHA5122a5b4f7b1d4107db8e84609ce9f8dbabd1087a68056c9ab60bf3c26baf11fb04666757013717b062869e43894cbb354315868d0700cffab88d83212928b24640
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56e62c9ba8c9b866018f43687cc9d82f7
SHA1b92d863de68be1fa1610d7b36ebaaee07177d25c
SHA256d7c2aa2180b52adff9b3426d2fdc06403e48d964d2d27cf717487062b7956a89
SHA5122a5b4f7b1d4107db8e84609ce9f8dbabd1087a68056c9ab60bf3c26baf11fb04666757013717b062869e43894cbb354315868d0700cffab88d83212928b24640
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56e62c9ba8c9b866018f43687cc9d82f7
SHA1b92d863de68be1fa1610d7b36ebaaee07177d25c
SHA256d7c2aa2180b52adff9b3426d2fdc06403e48d964d2d27cf717487062b7956a89
SHA5122a5b4f7b1d4107db8e84609ce9f8dbabd1087a68056c9ab60bf3c26baf11fb04666757013717b062869e43894cbb354315868d0700cffab88d83212928b24640
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f9e34b42cb41b3b94857e1e65ce49bf5
SHA18ca85df9e553fb73780f4f461d1ceef50d0f8bee
SHA25623854b9310e703c5ae103bb5de5c83cf89bc10138fecab99533ebc4dd7207be7
SHA512a1014103e6c892a89d8b89775a12a9d5a2baab777606baac36157d2272b2dd19c55356a09ff4cb0bcdd3b36fb49258c97d3a7b9c7bd6bafa2eac063b0136d02a
-
memory/852-54-0x0000000000000000-mapping.dmp
-
memory/852-55-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1608-56-0x0000000000000000-mapping.dmp