Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:46
Static task
static1
Behavioral task
behavioral1
Sample
9c30ed6837ce0a422697827dd7f2c2f0.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
9c30ed6837ce0a422697827dd7f2c2f0.dll
Resource
win10v2004-20220414-en
General
-
Target
9c30ed6837ce0a422697827dd7f2c2f0.dll
-
Size
5.0MB
-
MD5
9c30ed6837ce0a422697827dd7f2c2f0
-
SHA1
53e08ab7b7fbad810b1dd7f8371266245910a445
-
SHA256
2ff2a4b08a9b7786c46b7a2afc90121b83c9fac94641278aae01d65e896f4a2d
-
SHA512
78cd1c2ab0b6765417998766dcace14b882987cead4457fbc32bcb0121ebf2dfd8edf35620458c4d4d31e3b592f2d52c9ca4c17d780495d47447d55fc94083f8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (989) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 860 mssecsvc.exe 1176 mssecsvc.exe 1244 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BD3673BF-48A3-41C2-95E6-96B7F21C007E}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BD3673BF-48A3-41C2-95E6-96B7F21C007E} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BD3673BF-48A3-41C2-95E6-96B7F21C007E}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-c3-ef-61-21-da mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-c3-ef-61-21-da\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-c3-ef-61-21-da\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-c3-ef-61-21-da\WpadDecisionTime = 108640901d9cd801 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BD3673BF-48A3-41C2-95E6-96B7F21C007E}\WpadDecisionTime = 108640901d9cd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BD3673BF-48A3-41C2-95E6-96B7F21C007E}\b6-c3-ef-61-21-da mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BD3673BF-48A3-41C2-95E6-96B7F21C007E}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1108 wrote to memory of 1436 1108 rundll32.exe 27 PID 1108 wrote to memory of 1436 1108 rundll32.exe 27 PID 1108 wrote to memory of 1436 1108 rundll32.exe 27 PID 1108 wrote to memory of 1436 1108 rundll32.exe 27 PID 1108 wrote to memory of 1436 1108 rundll32.exe 27 PID 1108 wrote to memory of 1436 1108 rundll32.exe 27 PID 1108 wrote to memory of 1436 1108 rundll32.exe 27 PID 1436 wrote to memory of 860 1436 rundll32.exe 28 PID 1436 wrote to memory of 860 1436 rundll32.exe 28 PID 1436 wrote to memory of 860 1436 rundll32.exe 28 PID 1436 wrote to memory of 860 1436 rundll32.exe 28
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c30ed6837ce0a422697827dd7f2c2f0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c30ed6837ce0a422697827dd7f2c2f0.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:860 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1244
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1176
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b88c1916a89289c0a2b5dc653a6c8d59
SHA1887cac7ed35865c9c14f9196b0e282c159e997e6
SHA2566a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6
SHA512f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd
-
Filesize
3.6MB
MD5b88c1916a89289c0a2b5dc653a6c8d59
SHA1887cac7ed35865c9c14f9196b0e282c159e997e6
SHA2566a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6
SHA512f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd
-
Filesize
3.6MB
MD5b88c1916a89289c0a2b5dc653a6c8d59
SHA1887cac7ed35865c9c14f9196b0e282c159e997e6
SHA2566a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6
SHA512f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd
-
Filesize
3.4MB
MD5774c854be940865edcc542e7c700e2a8
SHA17584db11fd1d7350ba77689c6121f1645b254378
SHA256d2ec9d641e375cdc0c1ff1756980d044a58c10bb25bb3994bb273ee458da5bde
SHA51265a4977574770e6f2d662fb99fa8b27d11694dc79c0abeb5029517c587cf17bab63cca01d9e40407b12ac9d42c01a185e8926c5144c9304b033e67f98f11b560