Resubmissions
06/01/2023, 11:00
230106-m4e4vafg75 1006/01/2023, 11:00
230106-m3yjssbd9w 1006/01/2023, 01:01
230106-bdnshsdh26 10Analysis
-
max time kernel
26s -
max time network
28s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
06/01/2023, 11:00
Static task
static1
Behavioral task
behavioral1
Sample
mssecsvr.exe
Resource
win7-20221111-en
windows7-x64
9 signatures
150 seconds
General
-
Target
mssecsvr.exe
-
Size
2.2MB
-
MD5
115b1d97402bc50dacb74ba73c7464d2
-
SHA1
799abb0d4067ec605126cd40ce52949510a60cf7
-
SHA256
a837de3df64de641ca48b50983dc072692e237a24197bcc0c080152c4ddc3c2b
-
SHA512
910bf83e0c71df49d5c47cfd078d961ac5214fbcc14ed73052075f0e00e80bd942bc2fbb585630b630d78ac713d7a0dc899aa95a14f2554440f09c6119833bc4
-
SSDEEP
49152:QnnMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvn:QnPoBhz1aRxcSUDk36SAEdhvn
Score
10/10
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3HJ07IPF.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\3HJ07IPF.txt mssecsvr.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\6e-99-f0-1e-37-37 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-99-f0-1e-37-37\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590} mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\WpadNetworkName = "Network 2" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-99-f0-1e-37-37 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-99-f0-1e-37-37\WpadDecisionTime = 70ff2b74c621d901 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-99-f0-1e-37-37\WpadDecisionReason = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\WpadDecisionTime = 70ff2b74c621d901 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6C2C93F7-B518-42E5-8383-1FA42D4F4590}\WpadDecisionReason = "1" mssecsvr.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1560 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1560 taskmgr.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe 1560 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mssecsvr.exe"C:\Users\Admin\AppData\Local\Temp\mssecsvr.exe"1⤵
- Drops file in Windows directory
PID:1228
-
C:\Users\Admin\AppData\Local\Temp\mssecsvr.exeC:\Users\Admin\AppData\Local\Temp\mssecsvr.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:520
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560