Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:39
Static task
static1
Behavioral task
behavioral1
Sample
ff0ec5621475e217fa6d2fea39b9a37e.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ff0ec5621475e217fa6d2fea39b9a37e.dll
Resource
win10v2004-20220718-en
General
-
Target
ff0ec5621475e217fa6d2fea39b9a37e.dll
-
Size
5.0MB
-
MD5
ff0ec5621475e217fa6d2fea39b9a37e
-
SHA1
dddceadfd6396ea7ead3aec4429c22ec0359f408
-
SHA256
b9029c845771376e90d6f199449b5c2c337ddccb242f376223f54bc2df44fdc6
-
SHA512
5ec084bd18132daafd2abe81803686e121c6bfc3787bbfac12f52caf78b11b22188d330e13d6bced7e1e89f964c4d0032afdec97afe91ae33054a68ba3ca943d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1040 mssecsvc.exe 912 mssecsvc.exe 1768 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{321F1F0A-C535-4AD1-AD21-6DC950B22C9C}\WpadNetworkName = "Network 2" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{321F1F0A-C535-4AD1-AD21-6DC950B22C9C} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{321F1F0A-C535-4AD1-AD21-6DC950B22C9C}\8e-bf-5b-da-1c-db mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-bf-5b-da-1c-db\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{321F1F0A-C535-4AD1-AD21-6DC950B22C9C}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-bf-5b-da-1c-db\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{321F1F0A-C535-4AD1-AD21-6DC950B22C9C}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{321F1F0A-C535-4AD1-AD21-6DC950B22C9C}\WpadDecisionTime = b0e41e961c9cd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-bf-5b-da-1c-db mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-bf-5b-da-1c-db\WpadDecisionTime = b0e41e961c9cd801 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1316 1908 rundll32.exe 28 PID 1908 wrote to memory of 1316 1908 rundll32.exe 28 PID 1908 wrote to memory of 1316 1908 rundll32.exe 28 PID 1908 wrote to memory of 1316 1908 rundll32.exe 28 PID 1908 wrote to memory of 1316 1908 rundll32.exe 28 PID 1908 wrote to memory of 1316 1908 rundll32.exe 28 PID 1908 wrote to memory of 1316 1908 rundll32.exe 28 PID 1316 wrote to memory of 1040 1316 rundll32.exe 29 PID 1316 wrote to memory of 1040 1316 rundll32.exe 29 PID 1316 wrote to memory of 1040 1316 rundll32.exe 29 PID 1316 wrote to memory of 1040 1316 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff0ec5621475e217fa6d2fea39b9a37e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ff0ec5621475e217fa6d2fea39b9a37e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1040 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1768
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:912
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5bce37f9a46dd6e5ed17db4c24a28dc7f
SHA1f6735933b157c30cb02af4e76b541e8e3d4de019
SHA256304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2
SHA5122174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da
-
Filesize
3.6MB
MD5bce37f9a46dd6e5ed17db4c24a28dc7f
SHA1f6735933b157c30cb02af4e76b541e8e3d4de019
SHA256304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2
SHA5122174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da
-
Filesize
3.6MB
MD5bce37f9a46dd6e5ed17db4c24a28dc7f
SHA1f6735933b157c30cb02af4e76b541e8e3d4de019
SHA256304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2
SHA5122174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da
-
Filesize
3.4MB
MD516226b9dab177f18ec44f297a2d0e86a
SHA140d9d09f08376b07b73d8f70374151a2c0fa5bf4
SHA25681f1a0cb09387321278177d55442f1c32fecff59c579584dd2e4e52753a8b315
SHA51279f24ba409412140c148936d1ccabb876c671a56c72c6641200f272cf2ced278ab88e32a610b00f709e3b129123800c119aa10521e0f1d9123f1078f8b07d283