Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:36
Static task
static1
Behavioral task
behavioral1
Sample
83fd51535985071f14d083c143797233.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
83fd51535985071f14d083c143797233.dll
Resource
win10v2004-20220718-en
General
-
Target
83fd51535985071f14d083c143797233.dll
-
Size
5.0MB
-
MD5
83fd51535985071f14d083c143797233
-
SHA1
7d639bcb93f9bf3afbcb71256e20986af30bceea
-
SHA256
2e763503a70d6279bb00ac73127955280acdba20dc1ef6f5f9f1aa24098dfcf8
-
SHA512
933d71b3cf7b452101720d1b73996663204fc6cbd35c7b4d7895e4869a16f9426ac1578e73287403965be5feaf97e039a522b92f5910bd088d6b2a7c3bfc8fbc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 964 mssecsvc.exe 1640 mssecsvc.exe 1712 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DAA351C-3527-4319-83AB-9613CD61224F}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DAA351C-3527-4319-83AB-9613CD61224F}\42-f8-ea-38-4d-ec mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DAA351C-3527-4319-83AB-9613CD61224F} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-f8-ea-38-4d-ec mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-f8-ea-38-4d-ec\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DAA351C-3527-4319-83AB-9613CD61224F}\WpadDecisionTime = c07805680b9cd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-f8-ea-38-4d-ec\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DAA351C-3527-4319-83AB-9613CD61224F}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DAA351C-3527-4319-83AB-9613CD61224F}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-f8-ea-38-4d-ec\WpadDecisionTime = c07805680b9cd801 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1748 1972 rundll32.exe 27 PID 1972 wrote to memory of 1748 1972 rundll32.exe 27 PID 1972 wrote to memory of 1748 1972 rundll32.exe 27 PID 1972 wrote to memory of 1748 1972 rundll32.exe 27 PID 1972 wrote to memory of 1748 1972 rundll32.exe 27 PID 1972 wrote to memory of 1748 1972 rundll32.exe 27 PID 1972 wrote to memory of 1748 1972 rundll32.exe 27 PID 1748 wrote to memory of 964 1748 rundll32.exe 28 PID 1748 wrote to memory of 964 1748 rundll32.exe 28 PID 1748 wrote to memory of 964 1748 rundll32.exe 28 PID 1748 wrote to memory of 964 1748 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83fd51535985071f14d083c143797233.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83fd51535985071f14d083c143797233.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:964 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1712
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56d5e97b9f93fc008b99e40c676901ae3
SHA1f6111eaf56b1c03c3ac0fa6f65fce945f230538c
SHA2564b8414f81b20f0635b02072a6b3d6de8b168892554331fa8231ff51334e40421
SHA512017c055f7aea286082d96623c43133a1920754fe7f3e3006a0836e106031461d13e9a8bfafb27e78522a41ac9da0409625c84120959b0f22609bfc32f2c0087a
-
Filesize
3.6MB
MD56d5e97b9f93fc008b99e40c676901ae3
SHA1f6111eaf56b1c03c3ac0fa6f65fce945f230538c
SHA2564b8414f81b20f0635b02072a6b3d6de8b168892554331fa8231ff51334e40421
SHA512017c055f7aea286082d96623c43133a1920754fe7f3e3006a0836e106031461d13e9a8bfafb27e78522a41ac9da0409625c84120959b0f22609bfc32f2c0087a
-
Filesize
3.6MB
MD56d5e97b9f93fc008b99e40c676901ae3
SHA1f6111eaf56b1c03c3ac0fa6f65fce945f230538c
SHA2564b8414f81b20f0635b02072a6b3d6de8b168892554331fa8231ff51334e40421
SHA512017c055f7aea286082d96623c43133a1920754fe7f3e3006a0836e106031461d13e9a8bfafb27e78522a41ac9da0409625c84120959b0f22609bfc32f2c0087a
-
Filesize
3.4MB
MD567d08a8ea0584d0c7a00c2179c8e010f
SHA1317a7c1cf49cd6907e22444d63dea832d175d2a6
SHA256eb3830d19e5e887593976dcf7a040f22bd2dbd43e911320113acb2e54654cf92
SHA512c667afc72f6d933e555c96150e0ea465e5f2276e7c896d932f59dadf1a2008a1ab9aaf7d68df3dd0b7227d26394758699eb5f3c0818882d0ecd8d7e3a900a037