wannacry | e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f

General

Target

6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll
Size

5.0MB
MD5

6aa433b987f747ea18bd1daba29b19a6
SHA1

c4a60a470025c45d224276be50fe9ac8370ddee1
SHA256

e572ac2cb59c9efb7d130b6d0b126abdb2c5418eb23eef13257eafcc38ed963f
SHA512

f5939aa010fc822d3b2017d6091b802f27d96f01c914b659280a862cb11b453a59a379772795c199c377171fc35dcc6208a13c2a716137aca7318bc5212c21e3
SSDEEP

24576:ObLgdeQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKt:OnjQqMSPbcBVQej/1INK

Score

10^/10

wannacry discovery evasion ransomware worm

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	mssecsvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1"	mssecsvc.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

3084 mssecsvc.exe
2216 mssecsvc.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4172 3084 WerFault.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
4172	3084	WerFault.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exemssecsvc.exemssecsvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

3084 mssecsvc.exe
3084 mssecsvc.exe
2216 mssecsvc.exe
2216 mssecsvc.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

mssecsvc.exe

pid	process
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe
3084	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

description pid process

Token: SeDebugPrivilege 3084 mssecsvc.exe
Token: SeDebugPrivilege 2216 mssecsvc.exe

description	pid	process
Token: SeDebugPrivilege	3084	mssecsvc.exe
Token: SeDebugPrivilege	2216	mssecsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1504 wrote to memory of 3264	1504	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 3264	1504	rundll32.exe	rundll32.exe
PID 1504 wrote to memory of 3264	1504	rundll32.exe	rundll32.exe
PID 3264 wrote to memory of 3084	3264	rundll32.exe	mssecsvc.exe
PID 3264 wrote to memory of 3084	3264	rundll32.exe	mssecsvc.exe
PID 3264 wrote to memory of 3084	3264	rundll32.exe	mssecsvc.exe
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	winlogon.exe
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	winlogon.exe
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	winlogon.exe
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	winlogon.exe
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	winlogon.exe
PID 3084 wrote to memory of 632	3084	mssecsvc.exe	winlogon.exe
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	lsass.exe
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	lsass.exe
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	lsass.exe
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	lsass.exe
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	lsass.exe
PID 3084 wrote to memory of 680	3084	mssecsvc.exe	lsass.exe
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 780	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 788	3084	mssecsvc.exe	fontdrvhost.exe
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 804	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 912	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 960	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	dwm.exe
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	dwm.exe
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	dwm.exe
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	dwm.exe
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	dwm.exe
PID 3084 wrote to memory of 388	3084	mssecsvc.exe	dwm.exe
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 752	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 980	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 980	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 980	3084	mssecsvc.exe	svchost.exe
PID 3084 wrote to memory of 980	3084	mssecsvc.exe	svchost.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:388

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:804

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
2⤵
PID:3172

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4000

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:4080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3560

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:4028

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3984

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
2⤵
PID:2044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3920

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:1664

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:2360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:316

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1140

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1480

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2176

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2232

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2868

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3348

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6aa433b987f747ea18bd1daba29b19a6_JaffaCakes118.dll,#1
3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1252
5⤵
- Program crash
PID:4172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3784

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2112

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3084 -ip 3084
1⤵
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

Modify Registry

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b2b0bc696271321075d678c832b9db9c

SHA1
801343b88e1e276da1585564bcf22b9f114a48c0

SHA256
6729590951a87257c5509e08c3d6c12ecdc78645e478c387d660663fb93087ba

SHA512
3106db6137ec2d32e83c6024261878f2bbc2016e95f5213c4e6bdca8d792ca36e0b574fa85d57aaa46de5a91b9759826a72ab3b7f08e54737d0fd7fbb86e569b

Download Submit
memory/2216-19-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2216-10-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3084-7-0x0000000077483000-0x0000000077484000-memory.dmp

Filesize
4KB

Download
memory/3084-6-0x0000000077482000-0x0000000077483000-memory.dmp

Filesize
4KB

Download
memory/3084-8-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3084-5-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3084-12-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3084-11-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3084-14-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/3084-16-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3084-18-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3084-4-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads