Analysis
-
max time kernel
151s -
max time network
166s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:41
Static task
static1
Behavioral task
behavioral1
Sample
1f35108247eaaf84733eb8b52c958ec8.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
1f35108247eaaf84733eb8b52c958ec8.dll
Resource
win10v2004-20220718-en
General
-
Target
1f35108247eaaf84733eb8b52c958ec8.dll
-
Size
5.0MB
-
MD5
1f35108247eaaf84733eb8b52c958ec8
-
SHA1
7d8b544ce7514205731a561cd85f8d36ac34dba3
-
SHA256
15f2ff44943f7d6a2fe47be6b22a0c308b864a27d1eb21632c19d4f05183d8c3
-
SHA512
5b6587df5b67577d0d962c4efa46b927f4f6022fff2fc6dc9eef0ea9be8d4e5620a540574c17404979b88c39f973a5f6d09a7d685601019eed4ba5ee7750a918
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1266) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1552 mssecsvc.exe 1920 mssecsvc.exe 1248 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6204A69B-0179-4F4F-BEF1-B23CB1064584}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-15-89-e4-62-9b\WpadDecisionTime = c0dd9fe31c9cd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-15-89-e4-62-9b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-15-89-e4-62-9b\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6204A69B-0179-4F4F-BEF1-B23CB1064584} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6204A69B-0179-4F4F-BEF1-B23CB1064584}\72-15-89-e4-62-9b mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6204A69B-0179-4F4F-BEF1-B23CB1064584}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6204A69B-0179-4F4F-BEF1-B23CB1064584}\WpadDecisionTime = c0dd9fe31c9cd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6204A69B-0179-4F4F-BEF1-B23CB1064584}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-15-89-e4-62-9b\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1476 wrote to memory of 1632 1476 rundll32.exe 28 PID 1476 wrote to memory of 1632 1476 rundll32.exe 28 PID 1476 wrote to memory of 1632 1476 rundll32.exe 28 PID 1476 wrote to memory of 1632 1476 rundll32.exe 28 PID 1476 wrote to memory of 1632 1476 rundll32.exe 28 PID 1476 wrote to memory of 1632 1476 rundll32.exe 28 PID 1476 wrote to memory of 1632 1476 rundll32.exe 28 PID 1632 wrote to memory of 1552 1632 rundll32.exe 29 PID 1632 wrote to memory of 1552 1632 rundll32.exe 29 PID 1632 wrote to memory of 1552 1632 rundll32.exe 29 PID 1632 wrote to memory of 1552 1632 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f35108247eaaf84733eb8b52c958ec8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f35108247eaaf84733eb8b52c958ec8.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1552 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1248
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52f2834bb4287ef5f8a8869f05349e3c4
SHA10208240348bc6674490e39e69d2d7361589a1188
SHA256bcd945d61c1d37ed40d0257908fbab44d7479f297b991d322a865094f48d89ee
SHA5125e8327ab03d165347a73858d09df52e4247c93e2d852626e97f96551cf17cd8c14fc36f4e3161bbe3af891850213720f2df77d39f24d61bf2afe79d6214699c0
-
Filesize
3.6MB
MD52f2834bb4287ef5f8a8869f05349e3c4
SHA10208240348bc6674490e39e69d2d7361589a1188
SHA256bcd945d61c1d37ed40d0257908fbab44d7479f297b991d322a865094f48d89ee
SHA5125e8327ab03d165347a73858d09df52e4247c93e2d852626e97f96551cf17cd8c14fc36f4e3161bbe3af891850213720f2df77d39f24d61bf2afe79d6214699c0
-
Filesize
3.6MB
MD52f2834bb4287ef5f8a8869f05349e3c4
SHA10208240348bc6674490e39e69d2d7361589a1188
SHA256bcd945d61c1d37ed40d0257908fbab44d7479f297b991d322a865094f48d89ee
SHA5125e8327ab03d165347a73858d09df52e4247c93e2d852626e97f96551cf17cd8c14fc36f4e3161bbe3af891850213720f2df77d39f24d61bf2afe79d6214699c0
-
Filesize
3.4MB
MD5e780ce5605542e653b1ed9630c72bd68
SHA1955eadd5f4bc03838feede6564d3741329ec5d7d
SHA256898604dc098aa9ce39343e8dbcff40c2686c53ec3321cf356c42d336f87b1eaf
SHA5125534979c0fa2ac7b2eb2f91e74a70722e77c04fe79447c2f0131e8298957355f7af07690bbff7e8f79bbe110dc3a793ee927d37c26b4f638db5860fed5ca0604