Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
25-07-2022 04:17
Static task
static1
Behavioral task
behavioral1
Sample
e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll
Resource
win10v2004-20220721-en
General
-
Target
e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll
-
Size
5.0MB
-
MD5
46273765ba551414751b787b45b9362d
-
SHA1
61f746ee0c72970ebb11d56019ae297750d7b649
-
SHA256
e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1
-
SHA512
e9d46361b429fa3aeb126f0492a715aa5f06ad580fb8b3464be1cb324664a7a41cffcb1aea25a976a4336eee0e15cfaa804e36d19d4213b6173c58e7d5036886
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (1280) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1540 mssecsvc.exe 1728 mssecsvc.exe 1516 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A719952-FA0B-4418-91EA-AA7EC935CF00} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-eb-e9-e9-c8-8f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A719952-FA0B-4418-91EA-AA7EC935CF00}\ee-eb-e9-e9-c8-8f mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A719952-FA0B-4418-91EA-AA7EC935CF00}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A719952-FA0B-4418-91EA-AA7EC935CF00}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-eb-e9-e9-c8-8f\WpadDecisionTime = 0014004cee9fd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A719952-FA0B-4418-91EA-AA7EC935CF00}\WpadDecisionTime = 0014004cee9fd801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4A719952-FA0B-4418-91EA-AA7EC935CF00}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-eb-e9-e9-c8-8f\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-eb-e9-e9-c8-8f\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1984 wrote to memory of 1052 1984 rundll32.exe rundll32.exe PID 1984 wrote to memory of 1052 1984 rundll32.exe rundll32.exe PID 1984 wrote to memory of 1052 1984 rundll32.exe rundll32.exe PID 1984 wrote to memory of 1052 1984 rundll32.exe rundll32.exe PID 1984 wrote to memory of 1052 1984 rundll32.exe rundll32.exe PID 1984 wrote to memory of 1052 1984 rundll32.exe rundll32.exe PID 1984 wrote to memory of 1052 1984 rundll32.exe rundll32.exe PID 1052 wrote to memory of 1540 1052 rundll32.exe mssecsvc.exe PID 1052 wrote to memory of 1540 1052 rundll32.exe mssecsvc.exe PID 1052 wrote to memory of 1540 1052 rundll32.exe mssecsvc.exe PID 1052 wrote to memory of 1540 1052 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e23939851f5351b2ceff37634180930d7bd4037edfc0ad1caa0763f094c3e8c1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD59f2febd6d18a6ce6227a470ac3cefe7c
SHA1b42ad909f382aa3af976e65e0fc0b31ba2ed171e
SHA256a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0
SHA512241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59f2febd6d18a6ce6227a470ac3cefe7c
SHA1b42ad909f382aa3af976e65e0fc0b31ba2ed171e
SHA256a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0
SHA512241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59f2febd6d18a6ce6227a470ac3cefe7c
SHA1b42ad909f382aa3af976e65e0fc0b31ba2ed171e
SHA256a0f90f94e4f4a8ec24497109c2548bd24892069a70b619130ec2045d026dd6e0
SHA512241b330563e2a2d87cb73fa1e003dc7aa12822248c2df999f8e1e249dd75d608ba5333f55171f711afb768b8b0f9aa961e3da9c768c9ebecb997863853cb6a02
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50a05a5da7327c4e5086d3c393fb890d9
SHA13b22803e310a65a509d9ed721b56da389e508831
SHA256e557d37e7763d698cfad36992f2cae832b49d56ac988e67dfe83edf348735d19
SHA5125a792c4a62568b2ef5a4cd17e739e6237b38f7c2e167337a6cfb5d358fa33871fe8df8eb7ecf7a4dba59f82549088c22530d68deccccb4259280860335273c80
-
memory/1052-54-0x0000000000000000-mapping.dmp
-
memory/1052-55-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB
-
memory/1540-56-0x0000000000000000-mapping.dmp