Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:35
Static task
static1
Behavioral task
behavioral1
Sample
5df2f4ccc627d69619aa273a910fef85.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
5df2f4ccc627d69619aa273a910fef85.dll
Resource
win10v2004-20220718-en
General
-
Target
5df2f4ccc627d69619aa273a910fef85.dll
-
Size
5.0MB
-
MD5
5df2f4ccc627d69619aa273a910fef85
-
SHA1
4fede53863ca2ae77623389182a502eb4968f498
-
SHA256
d33624a32697dc5e277efef5afddfc38177b5ee8c17cda21dbdcccdf593d0ba4
-
SHA512
9aea89903625c921b166af00dba135f480790880d62855807f2161e5a652e16a96fa3f2bbf493d7b89d35f93200251f86823130b1468f7a9206a8e9df88d21e5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1306) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
pid Process 548 mssecsvc.exe 1412 mssecsvc.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\6a-75-1b-2d-33-8d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecisionTime = c0c991440b9cd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-75-1b-2d-33-8d\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecisionTime = c0c991440b9cd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C7A15239-4A47-4C67-A768-39B2D80D2CED}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1056 wrote to memory of 2000 1056 rundll32.exe 27 PID 1056 wrote to memory of 2000 1056 rundll32.exe 27 PID 1056 wrote to memory of 2000 1056 rundll32.exe 27 PID 1056 wrote to memory of 2000 1056 rundll32.exe 27 PID 1056 wrote to memory of 2000 1056 rundll32.exe 27 PID 1056 wrote to memory of 2000 1056 rundll32.exe 27 PID 1056 wrote to memory of 2000 1056 rundll32.exe 27 PID 2000 wrote to memory of 548 2000 rundll32.exe 28 PID 2000 wrote to memory of 548 2000 rundll32.exe 28 PID 2000 wrote to memory of 548 2000 rundll32.exe 28 PID 2000 wrote to memory of 548 2000 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5df2f4ccc627d69619aa273a910fef85.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5df2f4ccc627d69619aa273a910fef85.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:548
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d9fd56d2a7600655725ed3346032b4c1
SHA189b55d839224ca29359ebd99bf396b70b6a7368d
SHA25616b4b11cfcb5dd93cf4f73b71638afa83aa7d7505e8bf48fbdad3f0d9fcc00e3
SHA51267ff6533ac616fe24f0f273f5de4d0220afedc60f001ce6be1f1726030ce48ff8bb3bce0068b0448a80761eabeff0774fa987e1eb1efc1d1d6e9d67e04544ff9
-
Filesize
3.6MB
MD5d9fd56d2a7600655725ed3346032b4c1
SHA189b55d839224ca29359ebd99bf396b70b6a7368d
SHA25616b4b11cfcb5dd93cf4f73b71638afa83aa7d7505e8bf48fbdad3f0d9fcc00e3
SHA51267ff6533ac616fe24f0f273f5de4d0220afedc60f001ce6be1f1726030ce48ff8bb3bce0068b0448a80761eabeff0774fa987e1eb1efc1d1d6e9d67e04544ff9
-
Filesize
3.6MB
MD5d9fd56d2a7600655725ed3346032b4c1
SHA189b55d839224ca29359ebd99bf396b70b6a7368d
SHA25616b4b11cfcb5dd93cf4f73b71638afa83aa7d7505e8bf48fbdad3f0d9fcc00e3
SHA51267ff6533ac616fe24f0f273f5de4d0220afedc60f001ce6be1f1726030ce48ff8bb3bce0068b0448a80761eabeff0774fa987e1eb1efc1d1d6e9d67e04544ff9