Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-08-2022 19:36
Static task
static1
Behavioral task
behavioral1
Sample
d7ec2cdb973d9ad2e489fa0c7b3ffeb4.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d7ec2cdb973d9ad2e489fa0c7b3ffeb4.dll
Resource
win10v2004-20220812-en
General
-
Target
d7ec2cdb973d9ad2e489fa0c7b3ffeb4.dll
-
Size
5.0MB
-
MD5
d7ec2cdb973d9ad2e489fa0c7b3ffeb4
-
SHA1
94466fff257c5e2135e5db48a7e4a0b1ab381d26
-
SHA256
a7a578d123a9a77ec5ed304e5a4421a7f2ec27504afe6e96d1ffc9bf51a4dee1
-
SHA512
0eebfbc58ff348eb00f89c11f6d81e2a4a063621d0a31b0c134ce46660f1faa11a582cfedb7710f127e8e8b696f4c473e091695a84e43d1852dba157339f8ead
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593:TDqPe1Cxcxk3ZAEUadz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1259) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1056 mssecsvc.exe 616 mssecsvc.exe 908 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E4EFB8A7-5546-48E8-BBF4-C3EB977E3DBD}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E4EFB8A7-5546-48E8-BBF4-C3EB977E3DBD}\9e-36-d1-07-f2-3b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-36-d1-07-f2-3b\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-36-d1-07-f2-3b\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E4EFB8A7-5546-48E8-BBF4-C3EB977E3DBD} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-36-d1-07-f2-3b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-36-d1-07-f2-3b\WpadDecisionTime = 90de13cacab8d801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E4EFB8A7-5546-48E8-BBF4-C3EB977E3DBD}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E4EFB8A7-5546-48E8-BBF4-C3EB977E3DBD}\WpadDecisionTime = 90de13cacab8d801 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E4EFB8A7-5546-48E8-BBF4-C3EB977E3DBD}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1676 wrote to memory of 112 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 112 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 112 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 112 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 112 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 112 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 112 1676 rundll32.exe rundll32.exe PID 112 wrote to memory of 1056 112 rundll32.exe mssecsvc.exe PID 112 wrote to memory of 1056 112 rundll32.exe mssecsvc.exe PID 112 wrote to memory of 1056 112 rundll32.exe mssecsvc.exe PID 112 wrote to memory of 1056 112 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7ec2cdb973d9ad2e489fa0c7b3ffeb4.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d7ec2cdb973d9ad2e489fa0c7b3ffeb4.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5c18efac56280dfe18ebd1f361029d3f7
SHA1b079ad82c2341e9178ced0b6a62a484a12075b56
SHA256d013be1440f64e234c7631f2a3bb1b4d7c12bcb97d3804dc0e66753cde13ebc8
SHA5128d1b77db6ad14e282cbcd3424318ee1457430e55d94fc7e27c528060082ec968d7ddee605784cc08ce216bcbed7486991dd36168bc01e3a56268c2d33b828191
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c18efac56280dfe18ebd1f361029d3f7
SHA1b079ad82c2341e9178ced0b6a62a484a12075b56
SHA256d013be1440f64e234c7631f2a3bb1b4d7c12bcb97d3804dc0e66753cde13ebc8
SHA5128d1b77db6ad14e282cbcd3424318ee1457430e55d94fc7e27c528060082ec968d7ddee605784cc08ce216bcbed7486991dd36168bc01e3a56268c2d33b828191
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c18efac56280dfe18ebd1f361029d3f7
SHA1b079ad82c2341e9178ced0b6a62a484a12075b56
SHA256d013be1440f64e234c7631f2a3bb1b4d7c12bcb97d3804dc0e66753cde13ebc8
SHA5128d1b77db6ad14e282cbcd3424318ee1457430e55d94fc7e27c528060082ec968d7ddee605784cc08ce216bcbed7486991dd36168bc01e3a56268c2d33b828191
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fc0195c3fbc9d1ba19811d3c36b2bea4
SHA1d618abf74712f8730fbad1d0988d1c30e1ec036b
SHA2560c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739
SHA51201423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965
-
memory/112-54-0x0000000000000000-mapping.dmp
-
memory/112-55-0x0000000075E31000-0x0000000075E33000-memory.dmpFilesize
8KB
-
memory/1056-56-0x0000000000000000-mapping.dmp