wannacry | 5f6d6a6548884d0efc29d1019600fabe79dceebdd1eb6f43cd6c6f825c299114

General

Target

12eeb15b25510e632e27a0aab98e4ec4_JaffaCakes118.dll
Size

5.0MB
MD5

12eeb15b25510e632e27a0aab98e4ec4
SHA1

05e03714369de5050f75bd8fab609f15197743f2
SHA256

5f6d6a6548884d0efc29d1019600fabe79dceebdd1eb6f43cd6c6f825c299114
SHA512

2fa8dc20f661f90ed8fe52a9fc6383826c93c44791a6aa2aea9abb0815d8b6727faf5ae0f15075ccb78f1682f732b5fbe35a4cefc033a0c5c389b96c5f12c673
SSDEEP

49152:CnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAC:uDqPoBhz1aRxcSUDk36SAz

Score

10^/10

wannacry discovery evasion ransomware worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	mssecsvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1"	mssecsvc.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1348 mssecsvc.exe
2716 mssecsvc.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2456 1348 WerFault.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
2456	1348	WerFault.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

1348 mssecsvc.exe
1348 mssecsvc.exe
2716 mssecsvc.exe
2716 mssecsvc.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

mssecsvc.exe

pid	process
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe
1348	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 1348 mssecsvc.exe
Token: SeDebugPrivilege 2716 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	1348	mssecsvc.exe
Token: SeDebugPrivilege	2716	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 2108 wrote to memory of 1244	2108	rundll32.exe	rundll32.exe
PID 2108 wrote to memory of 1244	2108	rundll32.exe	rundll32.exe
PID 2108 wrote to memory of 1244	2108	rundll32.exe	rundll32.exe
PID 1244 wrote to memory of 1348	1244	rundll32.exe	mssecsvc.exe
PID 1244 wrote to memory of 1348	1244	rundll32.exe	mssecsvc.exe
PID 1244 wrote to memory of 1348	1244	rundll32.exe	mssecsvc.exe
PID 1348 wrote to memory of 612	1348	mssecsvc.exe	winlogon.exe
PID 1348 wrote to memory of 612	1348	mssecsvc.exe	winlogon.exe
PID 1348 wrote to memory of 612	1348	mssecsvc.exe	winlogon.exe
PID 1348 wrote to memory of 612	1348	mssecsvc.exe	winlogon.exe
PID 1348 wrote to memory of 612	1348	mssecsvc.exe	winlogon.exe
PID 1348 wrote to memory of 612	1348	mssecsvc.exe	winlogon.exe
PID 1348 wrote to memory of 672	1348	mssecsvc.exe	lsass.exe
PID 1348 wrote to memory of 672	1348	mssecsvc.exe	lsass.exe
PID 1348 wrote to memory of 672	1348	mssecsvc.exe	lsass.exe
PID 1348 wrote to memory of 672	1348	mssecsvc.exe	lsass.exe
PID 1348 wrote to memory of 672	1348	mssecsvc.exe	lsass.exe
PID 1348 wrote to memory of 672	1348	mssecsvc.exe	lsass.exe
PID 1348 wrote to memory of 788	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 788	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 788	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 788	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 788	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 788	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 796	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 796	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 796	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 796	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 796	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 796	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 804	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 804	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 804	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 804	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 804	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 804	1348	mssecsvc.exe	fontdrvhost.exe
PID 1348 wrote to memory of 912	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 912	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 912	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 912	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 912	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 912	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 964	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 964	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 964	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 964	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 964	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 964	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 64	1348	mssecsvc.exe	dwm.exe
PID 1348 wrote to memory of 64	1348	mssecsvc.exe	dwm.exe
PID 1348 wrote to memory of 64	1348	mssecsvc.exe	dwm.exe
PID 1348 wrote to memory of 64	1348	mssecsvc.exe	dwm.exe
PID 1348 wrote to memory of 64	1348	mssecsvc.exe	dwm.exe
PID 1348 wrote to memory of 64	1348	mssecsvc.exe	dwm.exe
PID 1348 wrote to memory of 696	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 696	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 696	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 696	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 696	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 696	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 1020	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 1020	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 1020	1348	mssecsvc.exe	svchost.exe
PID 1348 wrote to memory of 1020	1348	mssecsvc.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:796

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:788

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
2⤵
PID:2032

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3716

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3876

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3960

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4092

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4496

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:5112

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:4868

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
2⤵
PID:1704

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:4344

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:3064

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4520

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3884

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1160

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1480

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2016

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2192

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2568

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12eeb15b25510e632e27a0aab98e4ec4_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12eeb15b25510e632e27a0aab98e4ec4_JaffaCakes118.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1244

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1424
5⤵
- Program crash
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:880

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:812

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
bb8eae4ad5f9b559c23fb37c9bb464b6

SHA1
f7b3600b9d14b33df314a6ed2bbd4d04ee9af711

SHA256
817bfc770d9cfa26df9e7cf15137c3f9cdd6a3937afa3662e48cb97a0455677e

SHA512
645b8b06cd18ad4117ac01dd95807fbed49455729735319f84638624a350d6f74c07775d707a6c5ebd2d51e1dbccc14d86235979f187aa255a79f38c21935e03

Download Submit
memory/1348-4-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1348-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1348-7-0x0000000077393000-0x0000000077394000-memory.dmp

Filesize
4KB

Download
memory/1348-6-0x0000000077392000-0x0000000077393000-memory.dmp

Filesize
4KB

Download
memory/1348-8-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1348-11-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/1348-12-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/1348-14-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/1348-16-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1348-18-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2716-10-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads