Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:55
Static task
static1
Behavioral task
behavioral1
Sample
78eae7fce7c9388446dc27ff213fe28b.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
78eae7fce7c9388446dc27ff213fe28b.dll
Resource
win10v2004-20220718-en
General
-
Target
78eae7fce7c9388446dc27ff213fe28b.dll
-
Size
5.0MB
-
MD5
78eae7fce7c9388446dc27ff213fe28b
-
SHA1
4e153396fa78a220c583cac81198be16648d8c32
-
SHA256
8b51945ada866301cd583744f4363bbeac1b7ec84ee78c0135824a2dc57f7244
-
SHA512
4c4ceaf90e58740e8d74d8640eb2d4e6c765257c9c10fce683f046fd8d65492533329e127800d0b94300b1fe7435a6e03024af0dbd5390e92e00dcaa4fa1168d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1282) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 784 mssecsvc.exe 1360 mssecsvc.exe 1392 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\aa-9d-f8-8b-a5-59 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9d-f8-8b-a5-59\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9d-f8-8b-a5-59 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9d-f8-8b-a5-59\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9d-f8-8b-a5-59\WpadDecisionTime = 1051608bec9bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\WpadDecisionTime = 1051608bec9bd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1124 wrote to memory of 540 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 540 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 540 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 540 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 540 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 540 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 540 1124 rundll32.exe rundll32.exe PID 540 wrote to memory of 784 540 rundll32.exe mssecsvc.exe PID 540 wrote to memory of 784 540 rundll32.exe mssecsvc.exe PID 540 wrote to memory of 784 540 rundll32.exe mssecsvc.exe PID 540 wrote to memory of 784 540 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78eae7fce7c9388446dc27ff213fe28b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78eae7fce7c9388446dc27ff213fe28b.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:540 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:784 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1392
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1360
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5cacc6729c6beb693dedaeb6725c1f11e
SHA1eca13474ed4342ae9425096d9af0751ba168e67c
SHA25695c3d2057098f39398218abe9f59a684e90aefc53546cb3a3a35b40d2bc2f286
SHA5125b767093a541668fd7b6486c7e1dbb08453f369a79a4d9aec22a25bc37e271de2c76a6a529d2ea01becd6b432d62c099776c1c54e738ee234e58441605cab447
-
Filesize
3.6MB
MD5cacc6729c6beb693dedaeb6725c1f11e
SHA1eca13474ed4342ae9425096d9af0751ba168e67c
SHA25695c3d2057098f39398218abe9f59a684e90aefc53546cb3a3a35b40d2bc2f286
SHA5125b767093a541668fd7b6486c7e1dbb08453f369a79a4d9aec22a25bc37e271de2c76a6a529d2ea01becd6b432d62c099776c1c54e738ee234e58441605cab447
-
Filesize
3.6MB
MD5cacc6729c6beb693dedaeb6725c1f11e
SHA1eca13474ed4342ae9425096d9af0751ba168e67c
SHA25695c3d2057098f39398218abe9f59a684e90aefc53546cb3a3a35b40d2bc2f286
SHA5125b767093a541668fd7b6486c7e1dbb08453f369a79a4d9aec22a25bc37e271de2c76a6a529d2ea01becd6b432d62c099776c1c54e738ee234e58441605cab447
-
Filesize
3.4MB
MD5e77b6f2af12d54a10c978b7f665c11c1
SHA12cf4a829a8598234f206d682b12387ef4017a09e
SHA256edac81687e84c1433f1edcdbfb346a7b7fbb93365f98834fa6fc92821852d3e7
SHA51281bdf8ea3f116c4921982901161274ff2e476003637fcc8b4fc47e3d29f6482ecd547d383978991ff8ff7474236595241a2dd99b975ace5dd4c8ee8125bf833f