Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-06-2022 22:25
Static task
static1
Behavioral task
behavioral1
Sample
37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll
Resource
win10v2004-20220414-en
General
-
Target
37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll
-
Size
5.0MB
-
MD5
0e6c5008129bb859f0a760e1167f4097
-
SHA1
f8bea1b72244172d15da1a4ee05d013db287abc4
-
SHA256
37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31
-
SHA512
40fa30544386a46297ebeaea229e52fb459135314df7b0119bc3275ee2b6d03aed6a183da343652d335edd168b414c17a34ab807971e4c8ad450e6b0bbb1e4b1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1243) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 956 mssecsvc.exe 1416 mssecsvc.exe 1432 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1260 1432 WerFault.exe tasksche.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exetasksche.exedescription pid process target process PID 912 wrote to memory of 1168 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 1168 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 1168 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 1168 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 1168 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 1168 912 rundll32.exe rundll32.exe PID 912 wrote to memory of 1168 912 rundll32.exe rundll32.exe PID 1168 wrote to memory of 956 1168 rundll32.exe mssecsvc.exe PID 1168 wrote to memory of 956 1168 rundll32.exe mssecsvc.exe PID 1168 wrote to memory of 956 1168 rundll32.exe mssecsvc.exe PID 1168 wrote to memory of 956 1168 rundll32.exe mssecsvc.exe PID 956 wrote to memory of 1432 956 mssecsvc.exe tasksche.exe PID 956 wrote to memory of 1432 956 mssecsvc.exe tasksche.exe PID 956 wrote to memory of 1432 956 mssecsvc.exe tasksche.exe PID 956 wrote to memory of 1432 956 mssecsvc.exe tasksche.exe PID 1432 wrote to memory of 1260 1432 tasksche.exe WerFault.exe PID 1432 wrote to memory of 1260 1432 tasksche.exe WerFault.exe PID 1432 wrote to memory of 1260 1432 tasksche.exe WerFault.exe PID 1432 wrote to memory of 1260 1432 tasksche.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 365⤵
- Program crash
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD59057900258d9cdd64a479b2d72b0877d
SHA17b161c722039f8456f9cd8b31c674b39fd63d589
SHA2569cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87
SHA51293d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59057900258d9cdd64a479b2d72b0877d
SHA17b161c722039f8456f9cd8b31c674b39fd63d589
SHA2569cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87
SHA51293d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59057900258d9cdd64a479b2d72b0877d
SHA17b161c722039f8456f9cd8b31c674b39fd63d589
SHA2569cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87
SHA51293d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f5f27da84f5bdd5410d442e126eb0b51
SHA106ec74139d4857c8cf2ff5f943033a022fc2f6fa
SHA256ce55e8f2041f0dee35769c1b8b70ac077b86df17a0a593cc9dd3cc8c0ffc0b40
SHA51286d1e2bef7f1e2dd35ad8a646e8ca91644f015c7688c4452434e7359ecc3826d46d70b859d16b3c3755fa58ffaac9c1107d47a4abd527b96592b9c05f278a9fd
-
memory/956-56-0x0000000000000000-mapping.dmp
-
memory/1168-54-0x0000000000000000-mapping.dmp
-
memory/1168-55-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/1260-64-0x0000000000000000-mapping.dmp
-
memory/1432-62-0x0000000000000000-mapping.dmp