Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:47
Static task
static1
Behavioral task
behavioral1
Sample
423bca29674fc6cd58fed852427b1ffe.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
423bca29674fc6cd58fed852427b1ffe.dll
Resource
win10v2004-20220718-en
General
-
Target
423bca29674fc6cd58fed852427b1ffe.dll
-
Size
5.0MB
-
MD5
423bca29674fc6cd58fed852427b1ffe
-
SHA1
73b781e52f612230ebcf0070db8d12f72ccbd3f9
-
SHA256
53d1efc21234848acd0610876f9888836cdaca9cba20bd5a74196ea76f808080
-
SHA512
51bb12e591a3c780151cb42a7f4faa217a243730f925fc070fbf6be707e607f5ea412016b5c92cbe0dbae8ca0585e472cf767d44f90dc704696ad8668a05ab2c
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1333) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1344 mssecsvc.exe 2028 mssecsvc.exe 1732 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-4b-d0-eb-86 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2ECDAD0F-3759-4FEC-B738-022767947BEF}\16-c3-4b-d0-eb-86 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-4b-d0-eb-86\WpadDecisionTime = e02ee0b31d9cd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-4b-d0-eb-86\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2ECDAD0F-3759-4FEC-B738-022767947BEF} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2ECDAD0F-3759-4FEC-B738-022767947BEF}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-c3-4b-d0-eb-86\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2ECDAD0F-3759-4FEC-B738-022767947BEF}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2ECDAD0F-3759-4FEC-B738-022767947BEF}\WpadDecisionTime = e02ee0b31d9cd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2ECDAD0F-3759-4FEC-B738-022767947BEF}\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1348 wrote to memory of 860 1348 rundll32.exe 28 PID 1348 wrote to memory of 860 1348 rundll32.exe 28 PID 1348 wrote to memory of 860 1348 rundll32.exe 28 PID 1348 wrote to memory of 860 1348 rundll32.exe 28 PID 1348 wrote to memory of 860 1348 rundll32.exe 28 PID 1348 wrote to memory of 860 1348 rundll32.exe 28 PID 1348 wrote to memory of 860 1348 rundll32.exe 28 PID 860 wrote to memory of 1344 860 rundll32.exe 29 PID 860 wrote to memory of 1344 860 rundll32.exe 29 PID 860 wrote to memory of 1344 860 rundll32.exe 29 PID 860 wrote to memory of 1344 860 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\423bca29674fc6cd58fed852427b1ffe.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\423bca29674fc6cd58fed852427b1ffe.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1344 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1732
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD505caef754cf3d8f494ed1be4bb2efd53
SHA1eb3b2202d9d54fec56c62d256254cd36c235ed61
SHA2569c79438f1ccfc7187af064f6d9badfe9e33680928d82cf59a1e512421e2422dc
SHA512f321020b49b03bf691e45ebbcca092c8219876399aaaa42b116bed51140528dd40519f03d93f2b033319fa729f3704569d393c021523d1c53eea831980707940
-
Filesize
3.6MB
MD505caef754cf3d8f494ed1be4bb2efd53
SHA1eb3b2202d9d54fec56c62d256254cd36c235ed61
SHA2569c79438f1ccfc7187af064f6d9badfe9e33680928d82cf59a1e512421e2422dc
SHA512f321020b49b03bf691e45ebbcca092c8219876399aaaa42b116bed51140528dd40519f03d93f2b033319fa729f3704569d393c021523d1c53eea831980707940
-
Filesize
3.6MB
MD505caef754cf3d8f494ed1be4bb2efd53
SHA1eb3b2202d9d54fec56c62d256254cd36c235ed61
SHA2569c79438f1ccfc7187af064f6d9badfe9e33680928d82cf59a1e512421e2422dc
SHA512f321020b49b03bf691e45ebbcca092c8219876399aaaa42b116bed51140528dd40519f03d93f2b033319fa729f3704569d393c021523d1c53eea831980707940
-
Filesize
3.4MB
MD57d1a1e425c3a214a649013d89e82d6b4
SHA1b695fd52830c6124b1799d0ba0d256fbd786a2f7
SHA2563743d8bb3d584eb76a7e74dcc199b2674a4dc77a72c9236e1f3ebc5eaf51c7d6
SHA512ab939c536bf339a70dab35178fdb90919c98bc0e3bf7982380390a6b8bd769e120dff9406db781a852b9da1bcc998bfd6df5f46bb5e8b91621b87a69d436f79f