Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 03:15
Static task
static1
Behavioral task
behavioral1
Sample
4bdb678d95f5d6284f95f9254cccb49f.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4bdb678d95f5d6284f95f9254cccb49f.dll
Resource
win10v2004-20220718-en
General
-
Target
4bdb678d95f5d6284f95f9254cccb49f.dll
-
Size
5.0MB
-
MD5
4bdb678d95f5d6284f95f9254cccb49f
-
SHA1
75585376ab7c97f79ec782a590b37ee01b821930
-
SHA256
82fbd5e91ad1a70839605f4985d6b6be7a5dbada644912119db7a2c25aa294b5
-
SHA512
5ff91cf3c499c01b7a9afaea66dfc62a982e3258b76f726f851a84c1883aa902a533e2c57141e39a62e0ae0ec9908568020431e732c8ed38134f9b725fe55e34
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1263) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2036 mssecsvc.exe 904 mssecsvc.exe 1464 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2416CCD9-80FE-4F92-8545-C9B01F27B9D0}\WpadDecisionTime = e04f12b4f79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-3a-e4-6c-9a-8f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-3a-e4-6c-9a-8f\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-3a-e4-6c-9a-8f\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2416CCD9-80FE-4F92-8545-C9B01F27B9D0} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2416CCD9-80FE-4F92-8545-C9B01F27B9D0}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2416CCD9-80FE-4F92-8545-C9B01F27B9D0}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2416CCD9-80FE-4F92-8545-C9B01F27B9D0}\8a-3a-e4-6c-9a-8f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-3a-e4-6c-9a-8f\WpadDecisionTime = e04f12b4f79bd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2416CCD9-80FE-4F92-8545-C9B01F27B9D0}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1180 wrote to memory of 1916 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1916 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1916 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1916 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1916 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1916 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1916 1180 rundll32.exe rundll32.exe PID 1916 wrote to memory of 2036 1916 rundll32.exe mssecsvc.exe PID 1916 wrote to memory of 2036 1916 rundll32.exe mssecsvc.exe PID 1916 wrote to memory of 2036 1916 rundll32.exe mssecsvc.exe PID 1916 wrote to memory of 2036 1916 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bdb678d95f5d6284f95f9254cccb49f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4bdb678d95f5d6284f95f9254cccb49f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5ccd3b3d1821abf3912be165c14db9246
SHA1a2269e467c06453badeca3ba1dd709cef3e82ca4
SHA2561317e24704306ab9bfc8c220935c0a9a0e3fa7ed74499b1a0d9be5cf5502d760
SHA512884f8981fc6ecbb8eebc5ee33de1426eef45f41ea3c4dbb696ce0f90aaffd7a07cbbd4dcf775e7d8bbee954d92fac5bbb21423174ef41b47e7f7f8270dbebbb5
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ccd3b3d1821abf3912be165c14db9246
SHA1a2269e467c06453badeca3ba1dd709cef3e82ca4
SHA2561317e24704306ab9bfc8c220935c0a9a0e3fa7ed74499b1a0d9be5cf5502d760
SHA512884f8981fc6ecbb8eebc5ee33de1426eef45f41ea3c4dbb696ce0f90aaffd7a07cbbd4dcf775e7d8bbee954d92fac5bbb21423174ef41b47e7f7f8270dbebbb5
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ccd3b3d1821abf3912be165c14db9246
SHA1a2269e467c06453badeca3ba1dd709cef3e82ca4
SHA2561317e24704306ab9bfc8c220935c0a9a0e3fa7ed74499b1a0d9be5cf5502d760
SHA512884f8981fc6ecbb8eebc5ee33de1426eef45f41ea3c4dbb696ce0f90aaffd7a07cbbd4dcf775e7d8bbee954d92fac5bbb21423174ef41b47e7f7f8270dbebbb5
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD502b589c5ec944eb8c64c1b13b49f6cfe
SHA1988b21e6a1f08b8faa75e7647a0c46616366ca75
SHA2564edb742badddc3e019c7b90d70d209ca47de43fa666ed049be9070a8b52c3282
SHA512670b6ffd223c64d0fb3eaf29976dab6239d794d5fec73e1345eb4ee829655a115e703919ee96f3c12fd20ffff4035e99d4e4448952937c9f509659644892fd48
-
memory/1916-54-0x0000000000000000-mapping.dmp
-
memory/1916-55-0x0000000075481000-0x0000000075483000-memory.dmpFilesize
8KB
-
memory/2036-56-0x0000000000000000-mapping.dmp