Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:42
Static task
static1
Behavioral task
behavioral1
Sample
2fa2b45f10328565d9cedcaaf3131771.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
2fa2b45f10328565d9cedcaaf3131771.dll
Resource
win10v2004-20220414-en
General
-
Target
2fa2b45f10328565d9cedcaaf3131771.dll
-
Size
5.0MB
-
MD5
2fa2b45f10328565d9cedcaaf3131771
-
SHA1
524c453b2537d41fd3d113bfe905f351703ff592
-
SHA256
81b7d9a20398387471e9830806ee44e9f52ee2c29d2c50707d2747a24fe02d40
-
SHA512
480698612b1aba3deb3d1f7b40a400294b2ed3449a78e0e104a9f2b712a44a5cdcae2384aef25d25b716293fc4febc24fb703cb25f56e51b83eade0699ed2e34
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1309) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 668 mssecsvc.exe 1896 mssecsvc.exe 1988 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecisionTime = a064fd3e0c9cd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecisionTime = a064fd3e0c9cd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-00-ff-75-0c-a4\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\4e-00-ff-75-0c-a4 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBF815A2-6CFB-432D-AF9F-7670E98E50F2}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1432 wrote to memory of 1188 1432 rundll32.exe 27 PID 1432 wrote to memory of 1188 1432 rundll32.exe 27 PID 1432 wrote to memory of 1188 1432 rundll32.exe 27 PID 1432 wrote to memory of 1188 1432 rundll32.exe 27 PID 1432 wrote to memory of 1188 1432 rundll32.exe 27 PID 1432 wrote to memory of 1188 1432 rundll32.exe 27 PID 1432 wrote to memory of 1188 1432 rundll32.exe 27 PID 1188 wrote to memory of 668 1188 rundll32.exe 28 PID 1188 wrote to memory of 668 1188 rundll32.exe 28 PID 1188 wrote to memory of 668 1188 rundll32.exe 28 PID 1188 wrote to memory of 668 1188 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa2b45f10328565d9cedcaaf3131771.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa2b45f10328565d9cedcaaf3131771.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:668 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1988
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1896
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD59f5fcc06c35b79fd9fc1cc3fd8d5eb7f
SHA1380da41bb2ccde2e9b5e7f5ceb1d4103e9919628
SHA2568ce7c85b5da5303647f5eb6d98ca54d6e6cb9f4c9462535b8034fe8c19b4ca52
SHA51236034d0161da4709b6a255fa772d94c77670ef13d08edb682ef2ecde3b2581e645f0093e0ee072db037ac9c3c95b3f0665904ef03b4f0799cdc3bc4229358f1f
-
Filesize
3.6MB
MD59f5fcc06c35b79fd9fc1cc3fd8d5eb7f
SHA1380da41bb2ccde2e9b5e7f5ceb1d4103e9919628
SHA2568ce7c85b5da5303647f5eb6d98ca54d6e6cb9f4c9462535b8034fe8c19b4ca52
SHA51236034d0161da4709b6a255fa772d94c77670ef13d08edb682ef2ecde3b2581e645f0093e0ee072db037ac9c3c95b3f0665904ef03b4f0799cdc3bc4229358f1f
-
Filesize
3.6MB
MD59f5fcc06c35b79fd9fc1cc3fd8d5eb7f
SHA1380da41bb2ccde2e9b5e7f5ceb1d4103e9919628
SHA2568ce7c85b5da5303647f5eb6d98ca54d6e6cb9f4c9462535b8034fe8c19b4ca52
SHA51236034d0161da4709b6a255fa772d94c77670ef13d08edb682ef2ecde3b2581e645f0093e0ee072db037ac9c3c95b3f0665904ef03b4f0799cdc3bc4229358f1f
-
Filesize
3.4MB
MD572b7326ad47efacd38036f594e2e0dc4
SHA1919cfc5ca4e334cc3dd9a5480cac09454593ef5a
SHA256c12b903c402922ea0978c82218a9e6e73035af524096428391d6b53fcfad878a
SHA512b958fd7e154bab31f8f23c9fa867bbbaaff0179acde5aa8c7a3b0928bb7c1b48eaef05866a26fb53fbfd38453e1cde896d92920d022d003fc89dbc72734c2f59