Overview
overview
10Static
static
3Security.exe
windows7-x64
1Security.exe
windows10-2004-x64
1Security_x64.exe
windows7-x64
1Security_x64.exe
windows10-2004-x64
1Setup1.exe
windows7-x64
3Setup1.exe
windows10-2004-x64
3hh.exe
windows7-x64
1hh.exe
windows10-2004-x64
1mssecsvc.exe
windows7-x64
10mssecsvc.exe
windows10-2004-x64
10qeriuwjhrf.exe
windows7-x64
qeriuwjhrf.exe
windows10-2004-x64
tasksche.exe
windows7-x64
tasksche.exe
windows10-2004-x64
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 13:35
Static task
static1
Behavioral task
behavioral1
Sample
Security.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Security.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
Security_x64.exe
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
Security_x64.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
Setup1.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
Setup1.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
hh.exe
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
hh.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
mssecsvc.exe
Resource
win7-20240319-en
Behavioral task
behavioral10
Sample
mssecsvc.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
qeriuwjhrf.exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
qeriuwjhrf.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
tasksche.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
tasksche.exe
Resource
win10v2004-20240226-en
General
-
Target
mssecsvc.exe
-
Size
3.6MB
-
MD5
2cb069c56956bb9b6e62d393758d61a7
-
SHA1
220f4451f7ec2de03b482ddcf28c6ecda3e5366f
-
SHA256
0791f5ae5cbeec298082736457292521b23874ae0e77506c4ea12e65e3d2e52f
-
SHA512
13f47349f24593b4a0eb3094e816cf5c4bc826dc9a08c0ec9f5a4a55a17412b59fc6cfb2dcadbe1222c35e6d991e05605bf7db98b53557a2c128e831171babf3
-
SSDEEP
98304:yDqPoO1aRxcSUDk36SAEdhvxWa9P593RU:yDqPj1Cxcxk3ZAEUadzRU
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2544 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F3668DAE-2435-429E-BD6A-86EF10029AA2}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-40-e7-d4-4c-e6 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-40-e7-d4-4c-e6\WpadDecisionTime = d001e5d5398fda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0027000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-40-e7-d4-4c-e6\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-40-e7-d4-4c-e6\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F3668DAE-2435-429E-BD6A-86EF10029AA2}\86-40-e7-d4-4c-e6 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F3668DAE-2435-429E-BD6A-86EF10029AA2} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F3668DAE-2435-429E-BD6A-86EF10029AA2}\WpadDecisionTime = d001e5d5398fda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F3668DAE-2435-429E-BD6A-86EF10029AA2}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F3668DAE-2435-429E-BD6A-86EF10029AA2}\WpadNetworkName = "Network 3" mssecsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe"C:\Users\Admin\AppData\Local\Temp\mssecsvc.exe"1⤵
- Drops file in Windows directory
PID:2276 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2544
-
C:\Users\Admin\AppData\Local\Temp\mssecsvc.exeC:\Users\Admin\AppData\Local\Temp\mssecsvc.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5d59d6d48c3d6e9292c296e557a186391
SHA17f0916d7befcf929521087cde11b6d94d7331154
SHA256905ad8e2fc1f98ab1e934de1d01d85973291ccadd41c85ba1a7dcc3b2af6ed96
SHA5127b2fc97070ac47e6596cfe0da96b1b1369feeb4ab62af136f172ee306187cee3e04b68b8f786d7b4b4dee49054d53a33cd8048abdc8cba9853b3e119a08ac23e