Analysis
-
max time kernel
61s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-10-2022 13:41
Static task
static1
Behavioral task
behavioral1
Sample
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
Resource
win10v2004-20220812-en
General
-
Target
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll
-
Size
5.0MB
-
MD5
64f90ae0b16ad69df763d4172bf7b121
-
SHA1
cd13b94c91bcc035464c28ca953b1fca990f59d5
-
SHA256
d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7
-
SHA512
4d3987cf1e8f6d19f9d7c2009a579deb4793bba89fa12087a865ab4638b20183068520e656d0573974fd8ff8cc6b555f1b6289251d0864852412b070590b88fe
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9Z:+DqPoBhz1aRxcSUDk36SAEdhvxWa9Z
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2040 mssecsvc.exe 268 mssecsvc.exe 1188 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A6A4484E-82CA-4B36-8C95-BDDBA98AC720}\WpadDecisionTime = 207ce8cdbedcd801 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-61-41-c2-1a-05\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A6A4484E-82CA-4B36-8C95-BDDBA98AC720}\2e-61-41-c2-1a-05 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-61-41-c2-1a-05\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-61-41-c2-1a-05\WpadDecisionTime = 207ce8cdbedcd801 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A6A4484E-82CA-4B36-8C95-BDDBA98AC720}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A6A4484E-82CA-4B36-8C95-BDDBA98AC720}\WpadNetworkName = "Network" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-61-41-c2-1a-05 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0002000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A6A4484E-82CA-4B36-8C95-BDDBA98AC720} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A6A4484E-82CA-4B36-8C95-BDDBA98AC720}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1336 wrote to memory of 1176 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1176 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1176 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1176 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1176 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1176 1336 rundll32.exe rundll32.exe PID 1336 wrote to memory of 1176 1336 rundll32.exe rundll32.exe PID 1176 wrote to memory of 2040 1176 rundll32.exe mssecsvc.exe PID 1176 wrote to memory of 2040 1176 rundll32.exe mssecsvc.exe PID 1176 wrote to memory of 2040 1176 rundll32.exe mssecsvc.exe PID 1176 wrote to memory of 2040 1176 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5797d5d31c4e6c1accb2cbfddec8d66b9
SHA1dd5d04b01214dffdd75c575eefd342026c66a39d
SHA256bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd
SHA512ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD504af554ac498ed9e1353a8751bee6001
SHA1077c84f26b471c1b0075490d89fdfc5de6f7b9af
SHA25684b63d5d32bdbc8570257cbd5592c37626c1808a662ad70ae8972a75b4c61158
SHA5129fb261d4f2cedd26934df9f15f9044c22beaecbe109646fd0604b615344a9be124598018844b18b4a6e279df2431dba0158c9cf566036ecbbd3681e6e97e866a
-
memory/1176-54-0x0000000000000000-mapping.dmp
-
memory/1176-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB
-
memory/2040-56-0x0000000000000000-mapping.dmp