Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:43
Static task
static1
Behavioral task
behavioral1
Sample
ec5748f79216b65959301174fbf96957.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
ec5748f79216b65959301174fbf96957.dll
Resource
win10v2004-20220718-en
General
-
Target
ec5748f79216b65959301174fbf96957.dll
-
Size
5.0MB
-
MD5
ec5748f79216b65959301174fbf96957
-
SHA1
690f8cecc24108338930a17c70a528292c60be38
-
SHA256
105e8ccca5c3be8e5bb23b1afbba9720c44d0ec45a2ef85d004c34526464ed0f
-
SHA512
d571b153abd7216dcf05085d4730e9c9410d4ad6f8015b0d9334e3db00e33bf351f155a880ccf733bc21a2530598ee42a6d76ec81b2f5390bd978431042f48bd
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1440 mssecsvc.exe 1364 mssecsvc.exe 1344 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\WpadDecisionTime = 001d50271d9cd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9d-f8-8b-a5-59\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9d-f8-8b-a5-59 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9d-f8-8b-a5-59\WpadDecisionTime = 001d50271d9cd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-9d-f8-8b-a5-59\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\aa-9d-f8-8b-a5-59 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7985A0AF-B22B-40D1-8CE4-A8185C83F455}\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1768 wrote to memory of 1092 1768 rundll32.exe 27 PID 1768 wrote to memory of 1092 1768 rundll32.exe 27 PID 1768 wrote to memory of 1092 1768 rundll32.exe 27 PID 1768 wrote to memory of 1092 1768 rundll32.exe 27 PID 1768 wrote to memory of 1092 1768 rundll32.exe 27 PID 1768 wrote to memory of 1092 1768 rundll32.exe 27 PID 1768 wrote to memory of 1092 1768 rundll32.exe 27 PID 1092 wrote to memory of 1440 1092 rundll32.exe 28 PID 1092 wrote to memory of 1440 1092 rundll32.exe 28 PID 1092 wrote to memory of 1440 1092 rundll32.exe 28 PID 1092 wrote to memory of 1440 1092 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5748f79216b65959301174fbf96957.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5748f79216b65959301174fbf96957.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1440 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1344
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD542db6f5ea2fa39f344fe8bcbb70c2446
SHA1a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83
SHA2562b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa
SHA51214c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0
-
Filesize
3.6MB
MD542db6f5ea2fa39f344fe8bcbb70c2446
SHA1a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83
SHA2562b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa
SHA51214c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0
-
Filesize
3.6MB
MD542db6f5ea2fa39f344fe8bcbb70c2446
SHA1a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83
SHA2562b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa
SHA51214c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0
-
Filesize
3.4MB
MD51c8b86848417ca00d2c49b4515e6516a
SHA1f5d333f02e227a2fb70536d12f90ca359c8d263d
SHA2562eefc917cef61a212eea8c033f028dda3c791e55791de69c79252d56423982c1
SHA512bc362feaace7bd0fba650c18d2b3b89a1f9f5fdb347e62eb4877e56f7c682be05fd341d79586245b4912df3e26512496e3631255674622f4ae5a9b060f04b749