Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:34
Static task
static1
Behavioral task
behavioral1
Sample
da6ac5326498e7dfef73b0a8cf99a409.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
da6ac5326498e7dfef73b0a8cf99a409.dll
Resource
win10v2004-20220414-en
General
-
Target
da6ac5326498e7dfef73b0a8cf99a409.dll
-
Size
5.0MB
-
MD5
da6ac5326498e7dfef73b0a8cf99a409
-
SHA1
d12a2d7f96c1a7448940332c94f537ecc9de59e1
-
SHA256
f5d6e57c830007ae7acd9e604aa6e1e1f6a3d1fe834c6e680f2aa18c0fef9cac
-
SHA512
d424bcb389c98d8985dd7f504cfe33cf4ac566aca2ed91376088f7d3d8c631f21031bbf74776c5d628f89528a6a2cb5a14785627b681ead39dccccb28d968ed2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1258) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2008 mssecsvc.exe 1432 mssecsvc.exe 1248 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2FD4529-A260-44A9-A15B-DD656A88BF35}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2FD4529-A260-44A9-A15B-DD656A88BF35}\9a-34-70-84-18-6e mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2FD4529-A260-44A9-A15B-DD656A88BF35}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2FD4529-A260-44A9-A15B-DD656A88BF35}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-34-70-84-18-6e mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-34-70-84-18-6e\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2FD4529-A260-44A9-A15B-DD656A88BF35} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E2FD4529-A260-44A9-A15B-DD656A88BF35}\WpadDecisionTime = a075edd5d89bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-34-70-84-18-6e\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-34-70-84-18-6e\WpadDecisionTime = a075edd5d89bd801 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 760 wrote to memory of 1992 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1992 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1992 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1992 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1992 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1992 760 rundll32.exe rundll32.exe PID 760 wrote to memory of 1992 760 rundll32.exe rundll32.exe PID 1992 wrote to memory of 2008 1992 rundll32.exe mssecsvc.exe PID 1992 wrote to memory of 2008 1992 rundll32.exe mssecsvc.exe PID 1992 wrote to memory of 2008 1992 rundll32.exe mssecsvc.exe PID 1992 wrote to memory of 2008 1992 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da6ac5326498e7dfef73b0a8cf99a409.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da6ac5326498e7dfef73b0a8cf99a409.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD59ef67eb01f7edb9dd204529368627943
SHA1383d52ca7a7e99f7053c7f4ebca692bd2445f07a
SHA25696f416e0cba8262eb477cef07211c63cbe24e4b97e0cfd865049346d2f3e140f
SHA512f60270827402f42c907bd042aa00ca7f59892aa94932addba103cd069086ad8c8d0d0018043ec789d43308923853139d22e1d8536b44e1e430523db555fcb8c7
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59ef67eb01f7edb9dd204529368627943
SHA1383d52ca7a7e99f7053c7f4ebca692bd2445f07a
SHA25696f416e0cba8262eb477cef07211c63cbe24e4b97e0cfd865049346d2f3e140f
SHA512f60270827402f42c907bd042aa00ca7f59892aa94932addba103cd069086ad8c8d0d0018043ec789d43308923853139d22e1d8536b44e1e430523db555fcb8c7
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59ef67eb01f7edb9dd204529368627943
SHA1383d52ca7a7e99f7053c7f4ebca692bd2445f07a
SHA25696f416e0cba8262eb477cef07211c63cbe24e4b97e0cfd865049346d2f3e140f
SHA512f60270827402f42c907bd042aa00ca7f59892aa94932addba103cd069086ad8c8d0d0018043ec789d43308923853139d22e1d8536b44e1e430523db555fcb8c7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD582ed5400745e791e1652a1644c730a55
SHA16f69a63881e9f66664125ed1f5bbb181f60a9e15
SHA256246f63172c1021f86f450872f28e4df9a7cacf6dfed420f50c62d489072f78b8
SHA51238f924fd7da34ed02123df70ec8c2fd4aa87ebf7da8a4566863568d81672fd3df00c42778882f0bcf9de14e2d17dc0c29cd70d1595f0aa7f486dd2880c33c095
-
memory/1992-54-0x0000000000000000-mapping.dmp
-
memory/1992-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/2008-56-0x0000000000000000-mapping.dmp