Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:57
Static task
static1
Behavioral task
behavioral1
Sample
d253b19d8c2e2b0fa2e87282f575c490.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
d253b19d8c2e2b0fa2e87282f575c490.dll
Resource
win10v2004-20220718-en
General
-
Target
d253b19d8c2e2b0fa2e87282f575c490.dll
-
Size
5.0MB
-
MD5
d253b19d8c2e2b0fa2e87282f575c490
-
SHA1
ab6f0d00f151c548e1f9c1943ed3a36a13db3b6a
-
SHA256
897768acb54fb896fcf43548494fc7dd637e1ecc062d9b313b8a3bf9fb947535
-
SHA512
40753dc9b8e1dc3ab2f8fd303ae159b9a2d87407d0c41d9438ae2660dfdb1335fe9967be683661ae6a7cb89cb8cefc2d48eb0929f863dd66cac323c36f238bf3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (961) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1976 mssecsvc.exe 848 mssecsvc.exe 2040 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F9BAEDB-BA5A-4FF9-BCEB-D9F455AA310D}\WpadDecisionTime = 208d760cdc9bd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F9BAEDB-BA5A-4FF9-BCEB-D9F455AA310D}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-2d-77-ba-d2-33\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F9BAEDB-BA5A-4FF9-BCEB-D9F455AA310D}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F9BAEDB-BA5A-4FF9-BCEB-D9F455AA310D}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-2d-77-ba-d2-33 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-2d-77-ba-d2-33\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F9BAEDB-BA5A-4FF9-BCEB-D9F455AA310D} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-2d-77-ba-d2-33\WpadDecisionTime = 208d760cdc9bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F9BAEDB-BA5A-4FF9-BCEB-D9F455AA310D}\6e-2d-77-ba-d2-33 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 576 wrote to memory of 1972 576 rundll32.exe rundll32.exe PID 576 wrote to memory of 1972 576 rundll32.exe rundll32.exe PID 576 wrote to memory of 1972 576 rundll32.exe rundll32.exe PID 576 wrote to memory of 1972 576 rundll32.exe rundll32.exe PID 576 wrote to memory of 1972 576 rundll32.exe rundll32.exe PID 576 wrote to memory of 1972 576 rundll32.exe rundll32.exe PID 576 wrote to memory of 1972 576 rundll32.exe rundll32.exe PID 1972 wrote to memory of 1976 1972 rundll32.exe mssecsvc.exe PID 1972 wrote to memory of 1976 1972 rundll32.exe mssecsvc.exe PID 1972 wrote to memory of 1976 1972 rundll32.exe mssecsvc.exe PID 1972 wrote to memory of 1976 1972 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d253b19d8c2e2b0fa2e87282f575c490.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d253b19d8c2e2b0fa2e87282f575c490.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5aca0183b65f707824451a26c2afabe8d
SHA18b82d48ca19323bdaf207806a2ddede1c8df22d9
SHA25626a08e2883f14fc2e3c8ba2aed667f5d73407b181108d2bcea501206ef2b8e70
SHA5126b01c5f5fce1b418029c2deaedd4f5ba10299272ad1b6beabd8bc8e044a10aa299dc7f8aa3cfd08a74421df94d524d9f795cabc4876506bae1f37194ea1f9153
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5aca0183b65f707824451a26c2afabe8d
SHA18b82d48ca19323bdaf207806a2ddede1c8df22d9
SHA25626a08e2883f14fc2e3c8ba2aed667f5d73407b181108d2bcea501206ef2b8e70
SHA5126b01c5f5fce1b418029c2deaedd4f5ba10299272ad1b6beabd8bc8e044a10aa299dc7f8aa3cfd08a74421df94d524d9f795cabc4876506bae1f37194ea1f9153
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5aca0183b65f707824451a26c2afabe8d
SHA18b82d48ca19323bdaf207806a2ddede1c8df22d9
SHA25626a08e2883f14fc2e3c8ba2aed667f5d73407b181108d2bcea501206ef2b8e70
SHA5126b01c5f5fce1b418029c2deaedd4f5ba10299272ad1b6beabd8bc8e044a10aa299dc7f8aa3cfd08a74421df94d524d9f795cabc4876506bae1f37194ea1f9153
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b28af569881d85a183a91438bc35abb1
SHA1857e19e8f2f9dd6c3a43f2defcf214fe116affca
SHA256837aa77b122962862d55e37c10f1544db08aaaf095d877e6265d7025334343b5
SHA51259614eba8868c06c159537bf594af154b56bb0f2f0c4ec09a104b5073526507e58836f3f16b454fa95327983359baf7e2f02ede4c597ab412be18dc574d26ec5
-
memory/1972-54-0x0000000000000000-mapping.dmp
-
memory/1972-55-0x0000000076631000-0x0000000076633000-memory.dmpFilesize
8KB
-
memory/1976-56-0x0000000000000000-mapping.dmp