Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:33
Static task
static1
Behavioral task
behavioral1
Sample
d1e3bb77d27f27e98a33a21d16f35dde.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
d1e3bb77d27f27e98a33a21d16f35dde.dll
Resource
win10v2004-20220718-en
General
-
Target
d1e3bb77d27f27e98a33a21d16f35dde.dll
-
Size
5.0MB
-
MD5
d1e3bb77d27f27e98a33a21d16f35dde
-
SHA1
a00abd82ed0a4f90c4525692f20b8f64954263d8
-
SHA256
5ff3670dc706430739e4ab20f8777d5ac3ace433bb0783b038fe8f9aaa2af461
-
SHA512
f7f8fdc2afc776a9fecce2cf4999afcc3a89c9ec5fc7b33e589b8286419ff5f8cf4a5f4db2c2bab60fa55ca771b72b7f4c791c31b345c7a074409c8b6e4565a8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1238) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1612 mssecsvc.exe 2044 mssecsvc.exe 1928 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecisionTime = 60864475e99bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\a6-6b-26-6b-84-8e mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e\WpadDecisionTime = 60864475e99bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-6b-26-6b-84-8e mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3A5A17F7-137A-426E-9AC2-40F809C1E4DD}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1196 1172 rundll32.exe rundll32.exe PID 1196 wrote to memory of 1612 1196 rundll32.exe mssecsvc.exe PID 1196 wrote to memory of 1612 1196 rundll32.exe mssecsvc.exe PID 1196 wrote to memory of 1612 1196 rundll32.exe mssecsvc.exe PID 1196 wrote to memory of 1612 1196 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1e3bb77d27f27e98a33a21d16f35dde.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d1e3bb77d27f27e98a33a21d16f35dde.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1612 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1928
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2044
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD55ba925494b73756d097e80120e2f8643
SHA194802dd4290fb1a754d4e528b9b17f8cede48684
SHA2560dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351
SHA512791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55ba925494b73756d097e80120e2f8643
SHA194802dd4290fb1a754d4e528b9b17f8cede48684
SHA2560dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351
SHA512791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55ba925494b73756d097e80120e2f8643
SHA194802dd4290fb1a754d4e528b9b17f8cede48684
SHA2560dc746e2f1d11dce59e2204750efa789ce75e3adda8a6ffa2abd12cb3686d351
SHA512791192fa7a9774c8d2315557ea10312ac37a774ea253c4edbd66d1c6ee58044d851254fe14f887fc99e13ead7b0c0baa9f88b25db8db3225771695f4787663a0
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53b77b7c0b982d993043f011f53c197a3
SHA1c61468cd39a074654adba2081bf5889ef68887b4
SHA2565d84cf9769c5820e7932497ed6a333c7df27ad01329884059418970af0918653
SHA512680b0aceeb9204beb325a2fef8f536d36bad08dfded92d70b6ec0f3a4ae884b73a78fd764883b1210963711ad1d86a9f87646e7410e2f4678fc862f4f9344867
-
memory/1196-54-0x0000000000000000-mapping.dmp
-
memory/1196-55-0x00000000754F1000-0x00000000754F3000-memory.dmpFilesize
8KB
-
memory/1612-56-0x0000000000000000-mapping.dmp