Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:33
Static task
static1
Behavioral task
behavioral1
Sample
6353fcf21cbb20bb16c91910721a60f5.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
6353fcf21cbb20bb16c91910721a60f5.dll
Resource
win10v2004-20220414-en
General
-
Target
6353fcf21cbb20bb16c91910721a60f5.dll
-
Size
5.0MB
-
MD5
6353fcf21cbb20bb16c91910721a60f5
-
SHA1
1316b1c217d57fad4f22bbb5f6328cd4107a465d
-
SHA256
894e8d4d249a48c088c18adc6b1f6a1fe1073aadd364c99204c813f6018d0805
-
SHA512
719ff5d6efe6000459c49a051b3609fd750d454ebc0a4d2d5cc6a6d3f06a4461f5d454cfbfd7ae6c717905117d4b0f72d9de989fd1e0b7c28245073c6331ea38
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1275) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2004 mssecsvc.exe 1804 mssecsvc.exe 1724 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{755E8629-778A-4B08-8B9B-3C503651D993}\ca-08-7d-98-6d-69 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{755E8629-778A-4B08-8B9B-3C503651D993} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{755E8629-778A-4B08-8B9B-3C503651D993}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-08-7d-98-6d-69\WpadDecisionTime = a09b95fd0a9cd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{755E8629-778A-4B08-8B9B-3C503651D993}\WpadDecisionTime = a09b95fd0a9cd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{755E8629-778A-4B08-8B9B-3C503651D993}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{755E8629-778A-4B08-8B9B-3C503651D993}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-08-7d-98-6d-69 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-08-7d-98-6d-69\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-08-7d-98-6d-69\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2016 1048 rundll32.exe 26 PID 1048 wrote to memory of 2016 1048 rundll32.exe 26 PID 1048 wrote to memory of 2016 1048 rundll32.exe 26 PID 1048 wrote to memory of 2016 1048 rundll32.exe 26 PID 1048 wrote to memory of 2016 1048 rundll32.exe 26 PID 1048 wrote to memory of 2016 1048 rundll32.exe 26 PID 1048 wrote to memory of 2016 1048 rundll32.exe 26 PID 2016 wrote to memory of 2004 2016 rundll32.exe 27 PID 2016 wrote to memory of 2004 2016 rundll32.exe 27 PID 2016 wrote to memory of 2004 2016 rundll32.exe 27 PID 2016 wrote to memory of 2004 2016 rundll32.exe 27
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6353fcf21cbb20bb16c91910721a60f5.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6353fcf21cbb20bb16c91910721a60f5.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2004 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1724
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5011cd6211765992f7959164f2e0cc685
SHA137466c2a5146f667a1d1df33546aa033b594779c
SHA256096fa38ef308d311074adb67e07866e12cacb9c8f9b52dd3111d8d1054755a70
SHA512ae5dade79ef1d30a9421adafad22a18205e61707babf470a15fc7ac7f6b73ae4cf2768ba48eec2fb27182fcfe22adf8ba04d8dc0e7d15d3b0b292886a10f1f75
-
Filesize
3.6MB
MD5011cd6211765992f7959164f2e0cc685
SHA137466c2a5146f667a1d1df33546aa033b594779c
SHA256096fa38ef308d311074adb67e07866e12cacb9c8f9b52dd3111d8d1054755a70
SHA512ae5dade79ef1d30a9421adafad22a18205e61707babf470a15fc7ac7f6b73ae4cf2768ba48eec2fb27182fcfe22adf8ba04d8dc0e7d15d3b0b292886a10f1f75
-
Filesize
3.6MB
MD5011cd6211765992f7959164f2e0cc685
SHA137466c2a5146f667a1d1df33546aa033b594779c
SHA256096fa38ef308d311074adb67e07866e12cacb9c8f9b52dd3111d8d1054755a70
SHA512ae5dade79ef1d30a9421adafad22a18205e61707babf470a15fc7ac7f6b73ae4cf2768ba48eec2fb27182fcfe22adf8ba04d8dc0e7d15d3b0b292886a10f1f75
-
Filesize
3.4MB
MD548b7932d08134aa0e4692a1c51f8cf59
SHA1f0f722882801471961a889d21479c7d5b5bb7b2d
SHA256928cace56b782b1c0f5d9ab53472bcea3b2fa0927bdc663dca40ddae2a3edf70
SHA512574a7e885d714d3b92b3547675d21b3b9bc67d1b0acff4ae22765fcf032b702d59f8141cd192af8a8165d73d335dda19a710686a7cade9a377cd14f4433b5621