Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-05-2021 03:58
Static task
static1
Behavioral task
behavioral1
Sample
da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll
Resource
win10v20210408
General
-
Target
da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll
-
Size
5.0MB
-
MD5
b7aaeb286309a92f575247014054dc9a
-
SHA1
5420861f432a03c2371cd2d38dfa7b311dc4b4b8
-
SHA256
da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c
-
SHA512
e4cfe25feb734f93b1c861ad8ae384f04d19773e4c7a081b82150b4d532ebc52c68516c6f8d6281ac32ae61b0f1689b204c541db965158fc7c1a0adf27d5cd0c
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1028 mssecsvc.exe 1788 mssecsvc.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1028 mssecsvc.exe 1788 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 39 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1028 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe 1788 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 1028 mssecsvc.exe Token: SeDebugPrivilege 1788 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 1420 wrote to memory of 1188 1420 rundll32.exe rundll32.exe PID 1420 wrote to memory of 1188 1420 rundll32.exe rundll32.exe PID 1420 wrote to memory of 1188 1420 rundll32.exe rundll32.exe PID 1420 wrote to memory of 1188 1420 rundll32.exe rundll32.exe PID 1420 wrote to memory of 1188 1420 rundll32.exe rundll32.exe PID 1420 wrote to memory of 1188 1420 rundll32.exe rundll32.exe PID 1420 wrote to memory of 1188 1420 rundll32.exe rundll32.exe PID 1188 wrote to memory of 1028 1188 rundll32.exe mssecsvc.exe PID 1188 wrote to memory of 1028 1188 rundll32.exe mssecsvc.exe PID 1188 wrote to memory of 1028 1188 rundll32.exe mssecsvc.exe PID 1188 wrote to memory of 1028 1188 rundll32.exe mssecsvc.exe PID 1028 wrote to memory of 372 1028 mssecsvc.exe wininit.exe PID 1028 wrote to memory of 372 1028 mssecsvc.exe wininit.exe PID 1028 wrote to memory of 372 1028 mssecsvc.exe wininit.exe PID 1028 wrote to memory of 372 1028 mssecsvc.exe wininit.exe PID 1028 wrote to memory of 372 1028 mssecsvc.exe wininit.exe PID 1028 wrote to memory of 372 1028 mssecsvc.exe wininit.exe PID 1028 wrote to memory of 372 1028 mssecsvc.exe wininit.exe PID 1028 wrote to memory of 384 1028 mssecsvc.exe csrss.exe PID 1028 wrote to memory of 384 1028 mssecsvc.exe csrss.exe PID 1028 wrote to memory of 384 1028 mssecsvc.exe csrss.exe PID 1028 wrote to memory of 384 1028 mssecsvc.exe csrss.exe PID 1028 wrote to memory of 384 1028 mssecsvc.exe csrss.exe PID 1028 wrote to memory of 384 1028 mssecsvc.exe csrss.exe PID 1028 wrote to memory of 384 1028 mssecsvc.exe csrss.exe PID 1028 wrote to memory of 420 1028 mssecsvc.exe winlogon.exe PID 1028 wrote to memory of 420 1028 mssecsvc.exe winlogon.exe PID 1028 wrote to memory of 420 1028 mssecsvc.exe winlogon.exe PID 1028 wrote to memory of 420 1028 mssecsvc.exe winlogon.exe PID 1028 wrote to memory of 420 1028 mssecsvc.exe winlogon.exe PID 1028 wrote to memory of 420 1028 mssecsvc.exe winlogon.exe PID 1028 wrote to memory of 420 1028 mssecsvc.exe winlogon.exe PID 1028 wrote to memory of 464 1028 mssecsvc.exe services.exe PID 1028 wrote to memory of 464 1028 mssecsvc.exe services.exe PID 1028 wrote to memory of 464 1028 mssecsvc.exe services.exe PID 1028 wrote to memory of 464 1028 mssecsvc.exe services.exe PID 1028 wrote to memory of 464 1028 mssecsvc.exe services.exe PID 1028 wrote to memory of 464 1028 mssecsvc.exe services.exe PID 1028 wrote to memory of 464 1028 mssecsvc.exe services.exe PID 1028 wrote to memory of 480 1028 mssecsvc.exe lsass.exe PID 1028 wrote to memory of 480 1028 mssecsvc.exe lsass.exe PID 1028 wrote to memory of 480 1028 mssecsvc.exe lsass.exe PID 1028 wrote to memory of 480 1028 mssecsvc.exe lsass.exe PID 1028 wrote to memory of 480 1028 mssecsvc.exe lsass.exe PID 1028 wrote to memory of 480 1028 mssecsvc.exe lsass.exe PID 1028 wrote to memory of 480 1028 mssecsvc.exe lsass.exe PID 1028 wrote to memory of 488 1028 mssecsvc.exe lsm.exe PID 1028 wrote to memory of 488 1028 mssecsvc.exe lsm.exe PID 1028 wrote to memory of 488 1028 mssecsvc.exe lsm.exe PID 1028 wrote to memory of 488 1028 mssecsvc.exe lsm.exe PID 1028 wrote to memory of 488 1028 mssecsvc.exe lsm.exe PID 1028 wrote to memory of 488 1028 mssecsvc.exe lsm.exe PID 1028 wrote to memory of 488 1028 mssecsvc.exe lsm.exe PID 1028 wrote to memory of 580 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 580 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 580 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 580 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 580 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 580 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 580 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 660 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 660 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 660 1028 mssecsvc.exe svchost.exe PID 1028 wrote to memory of 660 1028 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:480
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:464
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:792
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:840
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:876
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:112
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:284
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:580
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1288
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\MSSECSVC.EXEMD5
6081e20a243389a518cb8055bc93a948
SHA17695d90ba77b4b7c493093805ecae511da226b07
SHA2563fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740
SHA512a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f
-
C:\Windows\mssecsvc.exeMD5
6081e20a243389a518cb8055bc93a948
SHA17695d90ba77b4b7c493093805ecae511da226b07
SHA2563fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740
SHA512a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f
-
C:\Windows\mssecsvc.exeMD5
6081e20a243389a518cb8055bc93a948
SHA17695d90ba77b4b7c493093805ecae511da226b07
SHA2563fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740
SHA512a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f
-
memory/1028-61-0x0000000000000000-mapping.dmp
-
memory/1028-67-0x000000007EF90000-0x000000007EF9C000-memory.dmpFilesize
48KB
-
memory/1188-59-0x0000000000000000-mapping.dmp
-
memory/1188-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmpFilesize
8KB