Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:45
Static task
static1
Behavioral task
behavioral1
Sample
aa6c3af589f56e44fa4f00cc5ee60169.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
aa6c3af589f56e44fa4f00cc5ee60169.dll
Resource
win10v2004-20220414-en
General
-
Target
aa6c3af589f56e44fa4f00cc5ee60169.dll
-
Size
5.0MB
-
MD5
aa6c3af589f56e44fa4f00cc5ee60169
-
SHA1
80708025c3a71d2607dfa670e3de4f158351194e
-
SHA256
65d88350e1e0577f647a1d0e91dd4baf6e5ce42d3845d5e5cdbee03f6a1d9d50
-
SHA512
836fe58ab81d3c22ec00ac73e20a45e839a705c912faaf24511cb2fc54f848466e584fa674fb9cc8b6be7f8d442f4ca1a9f30d8245dd486c8e1c4e266c2e08a7
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1620 mssecsvc.exe 2016 mssecsvc.exe 604 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-31-93-ef-c4-8f\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-31-93-ef-c4-8f\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\52-31-93-ef-c4-8f mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-31-93-ef-c4-8f\WpadDecisionTime = 700b1b6c1d9cd801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\WpadDecisionTime = 700b1b6c1d9cd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-31-93-ef-c4-8f mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{91B91427-278C-456F-90B8-31FE4C81EBD2} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 944 wrote to memory of 1892 944 rundll32.exe 27 PID 1892 wrote to memory of 1620 1892 rundll32.exe 28 PID 1892 wrote to memory of 1620 1892 rundll32.exe 28 PID 1892 wrote to memory of 1620 1892 rundll32.exe 28 PID 1892 wrote to memory of 1620 1892 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa6c3af589f56e44fa4f00cc5ee60169.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa6c3af589f56e44fa4f00cc5ee60169.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1620 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:604
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5550fbbe39f6bb8cc978e37112d7760da
SHA1a04f21a2aa3270944e91d446707be1344cdee667
SHA256d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656
SHA512456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103
-
Filesize
3.6MB
MD5550fbbe39f6bb8cc978e37112d7760da
SHA1a04f21a2aa3270944e91d446707be1344cdee667
SHA256d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656
SHA512456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103
-
Filesize
3.6MB
MD5550fbbe39f6bb8cc978e37112d7760da
SHA1a04f21a2aa3270944e91d446707be1344cdee667
SHA256d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656
SHA512456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103
-
Filesize
3.4MB
MD51fa7f9b832ae1d065695f71a8c7714b0
SHA1274aa1fe26b8668adfb5bfff31917aeff93c12b0
SHA2563f3b01ae8849baf9c28b373ab7bcdc369f8dbc376d6e07ec1918ea2c37871dcf
SHA5123e1e3aa556624ef5886c34766e36fea6010c4a3d1db4df3fe859bb82ced94384473ce499a6598f593650b8f5a305708249a917513d3564b243481371c7d8850c