Analysis
-
max time kernel
151s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-06-2022 18:59
Static task
static1
Behavioral task
behavioral1
Sample
2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b.dll
Resource
win10v2004-20220414-en
General
-
Target
2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b.dll
-
Size
5.0MB
-
MD5
3695f6d3175e85e25ea3cc65ab3801cf
-
SHA1
a51d6b609237e90287fc6fafb0e2391893785112
-
SHA256
2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b
-
SHA512
816a004d5bed585351ae4f115d5746623999608565f761e998b56f305e646e69e847e1c15027cb3cd8fe106b95f4d2c3f0dc97ebbd9d49180849b3801173a75a
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1388 mssecsvc.exe 1144 mssecsvc.exe 2040 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1824 wrote to memory of 1008 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1008 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1008 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1008 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1008 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1008 1824 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1008 1824 rundll32.exe rundll32.exe PID 1008 wrote to memory of 1388 1008 rundll32.exe mssecsvc.exe PID 1008 wrote to memory of 1388 1008 rundll32.exe mssecsvc.exe PID 1008 wrote to memory of 1388 1008 rundll32.exe mssecsvc.exe PID 1008 wrote to memory of 1388 1008 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fc7ae2a16b562b608dfd0e899ab172375525e0577119afe17803740cf56a61b.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5d6da95961610cc1c42d670410387b12a
SHA1d77fbdbbb81b7fefd2087f8791fbe0942ef6b673
SHA2562cf96ddb068e5e198d85709f8bc75faf51167827ea11f8a4cb728836cbc467fd
SHA512d5ac32397462214b1ae083ceb8f6e7afa5fa6223f09d8ce347c315e45411de19e329fc513d82ec47c2cafb2e0d181b47448d5619673dec48abcda0800f9d5a0a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d6da95961610cc1c42d670410387b12a
SHA1d77fbdbbb81b7fefd2087f8791fbe0942ef6b673
SHA2562cf96ddb068e5e198d85709f8bc75faf51167827ea11f8a4cb728836cbc467fd
SHA512d5ac32397462214b1ae083ceb8f6e7afa5fa6223f09d8ce347c315e45411de19e329fc513d82ec47c2cafb2e0d181b47448d5619673dec48abcda0800f9d5a0a
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d6da95961610cc1c42d670410387b12a
SHA1d77fbdbbb81b7fefd2087f8791fbe0942ef6b673
SHA2562cf96ddb068e5e198d85709f8bc75faf51167827ea11f8a4cb728836cbc467fd
SHA512d5ac32397462214b1ae083ceb8f6e7afa5fa6223f09d8ce347c315e45411de19e329fc513d82ec47c2cafb2e0d181b47448d5619673dec48abcda0800f9d5a0a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD54560ce126cc34e33839f4bafbeb801b0
SHA1ad3d81e70e7206fa255c12cbd3f863dfb72fb12c
SHA2565facb4bca8b6a43fcf064b33c80c8727633fdc2532b2e66402b5cd954109cde0
SHA5121aa20fe3e776def514c3b6035ff17e19373d07f0f4d8a39144484b31a8ba6368357d9db07b99e544ed27f7ee4856fd4fe50fea7f5aa7e85e408da7645f036d03
-
memory/1008-54-0x0000000000000000-mapping.dmp
-
memory/1008-55-0x0000000075381000-0x0000000075383000-memory.dmpFilesize
8KB
-
memory/1388-56-0x0000000000000000-mapping.dmp