Analysis
-
max time kernel
151s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 11:23
Static task
static1
Behavioral task
behavioral1
Sample
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
Resource
win10v2004-20220812-en
General
-
Target
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
-
Size
5.0MB
-
MD5
64f90ae0b16ad69df763d4172bf7b121
-
SHA1
cd13b94c91bcc035464c28ca953b1fca990f59d5
-
SHA256
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7
-
SHA512
4d3987cf1e8f6d19f9d7c2009a579deb4793bba89fa12087a865ab4638b20183068520e656d0573974fd8ff8cc6b555f1b6289251d0864852412b070590b88fe
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9Z:+DqPoBhz1aRxcSUDk36SAEdhvxWa9Z
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 952 mssecsvc.exe 1500 mssecsvc.exe 1884 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-0d-d0-e6-d2-44 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-0d-d0-e6-d2-44\WpadDecisionTime = e067689cabdcd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\WpadDecisionTime = e067689cabdcd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-0d-d0-e6-d2-44\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\b2-0d-d0-e6-d2-44 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-0d-d0-e6-d2-44\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E87D1D57-D2E1-4C4A-BAA9-3EBF17803931}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1896 wrote to memory of 1232 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1232 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1232 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1232 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1232 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1232 1896 rundll32.exe rundll32.exe PID 1896 wrote to memory of 1232 1896 rundll32.exe rundll32.exe PID 1232 wrote to memory of 952 1232 rundll32.exe mssecsvc.exe PID 1232 wrote to memory of 952 1232 rundll32.exe mssecsvc.exe PID 1232 wrote to memory of 952 1232 rundll32.exe mssecsvc.exe PID 1232 wrote to memory of 952 1232 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD504af554ac498ed9e1353a8751bee6001
SHA1077c84f26b471c1b0075490d89fdfc5de6f7b9af
SHA25684b63d5d32bdbc8570257cbd5592c37626c1808a662ad70ae8972a75b4c61158
SHA5129fb261d4f2cedd26934df9f15f9044c22beaecbe109646fd0604b615344a9be124598018844b18b4a6e279df2431dba0158c9cf566036ecbbd3681e6e97e866a
-
memory/952-56-0x0000000000000000-mapping.dmp
-
memory/1232-54-0x0000000000000000-mapping.dmp
-
memory/1232-55-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB