Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
50cbca00cd028986ce1c332c8093cdd9.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
50cbca00cd028986ce1c332c8093cdd9.dll
Resource
win10v2004-20220414-en
General
-
Target
50cbca00cd028986ce1c332c8093cdd9.dll
-
Size
5.0MB
-
MD5
50cbca00cd028986ce1c332c8093cdd9
-
SHA1
80e9c0da857b9ed792a9fae87f56ed3363ffb8b4
-
SHA256
fecdbea3b7439653a0b422b22bb957577b0f100dc43b13148c20cc282cd4d865
-
SHA512
b8fab37e2d280f0c518ca9e503c5d6cfd77fee1791c3a2c60365b939114b98099106d4bd98556f5aa7a762a32c0b64b5d3ac88beae81bb02645408bf2d114d56
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (973) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1620 mssecsvc.exe 268 mssecsvc.exe 1568 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-31-93-ef-c4-8f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-31-93-ef-c4-8f\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-31-93-ef-c4-8f\WpadDecisionTime = 3019e7f11b9cd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\WpadDecisionTime = 3019e7f11b9cd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\52-31-93-ef-c4-8f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-31-93-ef-c4-8f\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 1892 wrote to memory of 1620 1892 rundll32.exe 28 PID 1892 wrote to memory of 1620 1892 rundll32.exe 28 PID 1892 wrote to memory of 1620 1892 rundll32.exe 28 PID 1892 wrote to memory of 1620 1892 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\50cbca00cd028986ce1c332c8093cdd9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\50cbca00cd028986ce1c332c8093cdd9.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1620 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1568
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:268
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5985ba4ef47df1da29ee4751ccbef41bd
SHA1c3518542cd5328dbfe54cda103d57858965ccd10
SHA2560478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6
SHA5123a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f
-
Filesize
3.6MB
MD5985ba4ef47df1da29ee4751ccbef41bd
SHA1c3518542cd5328dbfe54cda103d57858965ccd10
SHA2560478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6
SHA5123a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f
-
Filesize
3.6MB
MD5985ba4ef47df1da29ee4751ccbef41bd
SHA1c3518542cd5328dbfe54cda103d57858965ccd10
SHA2560478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6
SHA5123a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f
-
Filesize
3.4MB
MD534162f39d0401884115a772a8619cd45
SHA10a74ce265b922c0020acee72ddfebb0505e99f7c
SHA2563cb80529bef49f8fcaa87e3b40cdf3c79beeac3cde3d84e7eba25812ccf43842
SHA51216dcbaa0ddc727f264bdfd378db49856b1055ce3e17f1eb7c27d758fdac607394c69f0c92d9bf31f6d39dd78a2f4856c368930be861ef1200309038af1dd6e1b