Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:40
Static task
static1
Behavioral task
behavioral1
Sample
f1c1fc835aabddc1adc200e26acd0745.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
f1c1fc835aabddc1adc200e26acd0745.dll
Resource
win10v2004-20220718-en
General
-
Target
f1c1fc835aabddc1adc200e26acd0745.dll
-
Size
5.0MB
-
MD5
f1c1fc835aabddc1adc200e26acd0745
-
SHA1
14bf8595ec6b87db66ed6ab6f5704110a0b787c6
-
SHA256
a5dabe33b1721f3aa144e6bd3e5364521f3793a45c7ca9a07b28073bf20eff7b
-
SHA512
38230e6d7d50319dff8241b6a83e10dd50c401338b92981eee43701ab00a19c08a0dc342ea6edb5baee7e80d9d4dbe0251e291c0c73d39aed675f78edb794104
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1282) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1504 mssecsvc.exe 1576 mssecsvc.exe 320 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-95-de-59-f8-43 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\ae-95-de-59-f8-43 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-95-de-59-f8-43\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-95-de-59-f8-43\WpadDecisionTime = e08c6df80b9cd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-95-de-59-f8-43\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AD996A31-4313-4345-8160-5D71A041190B}\WpadDecisionTime = e08c6df80b9cd801 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 852 wrote to memory of 1956 852 rundll32.exe 27 PID 852 wrote to memory of 1956 852 rundll32.exe 27 PID 852 wrote to memory of 1956 852 rundll32.exe 27 PID 852 wrote to memory of 1956 852 rundll32.exe 27 PID 852 wrote to memory of 1956 852 rundll32.exe 27 PID 852 wrote to memory of 1956 852 rundll32.exe 27 PID 852 wrote to memory of 1956 852 rundll32.exe 27 PID 1956 wrote to memory of 1504 1956 rundll32.exe 28 PID 1956 wrote to memory of 1504 1956 rundll32.exe 28 PID 1956 wrote to memory of 1504 1956 rundll32.exe 28 PID 1956 wrote to memory of 1504 1956 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1c1fc835aabddc1adc200e26acd0745.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1c1fc835aabddc1adc200e26acd0745.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1504 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:320
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1576
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f3039c7336e7f6d4328f94fa303dcced
SHA11677d4d93437e2d8515f35d6b26e1b00030bc03a
SHA256d166b5c75449ef64b033e97b0d8ca7f3c4d4b24b8ddf45a19643df0e5aea8e9f
SHA5123244ff12287276525595b64ca832fe8356454df6adf1a1de6cd07992a95595e6432ff85b9f9e496975fa8df4685a70fb68e18cf60fce666c6c58acd2c00c1f3c
-
Filesize
3.6MB
MD5f3039c7336e7f6d4328f94fa303dcced
SHA11677d4d93437e2d8515f35d6b26e1b00030bc03a
SHA256d166b5c75449ef64b033e97b0d8ca7f3c4d4b24b8ddf45a19643df0e5aea8e9f
SHA5123244ff12287276525595b64ca832fe8356454df6adf1a1de6cd07992a95595e6432ff85b9f9e496975fa8df4685a70fb68e18cf60fce666c6c58acd2c00c1f3c
-
Filesize
3.6MB
MD5f3039c7336e7f6d4328f94fa303dcced
SHA11677d4d93437e2d8515f35d6b26e1b00030bc03a
SHA256d166b5c75449ef64b033e97b0d8ca7f3c4d4b24b8ddf45a19643df0e5aea8e9f
SHA5123244ff12287276525595b64ca832fe8356454df6adf1a1de6cd07992a95595e6432ff85b9f9e496975fa8df4685a70fb68e18cf60fce666c6c58acd2c00c1f3c
-
Filesize
3.4MB
MD5435273746a63b67feb46ba53b3f57075
SHA11d9c9c6e3266061c6ad2a84466eec1b7153ff16c
SHA256eec16823fe58cbed7d91ac56356e17a87af9f2488753e1f200c5bf5b46151db1
SHA512c5a1c46361f3b4e55f17e3d335f668b6eefb07058d64f3019c70575e890ea9dba64731a692aa7b91a4873938c5c4f2798f4cb86bb73d20df9b53ff3a0ba440a5