Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 17:48
Static task
static1
Behavioral task
behavioral1
Sample
44e7f44b6edf55d6a96cf66d9d75f65acc9cd2db54760e20729d5d9d09877537.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
44e7f44b6edf55d6a96cf66d9d75f65acc9cd2db54760e20729d5d9d09877537.dll
Resource
win10v2004-20220414-en
General
-
Target
44e7f44b6edf55d6a96cf66d9d75f65acc9cd2db54760e20729d5d9d09877537.dll
-
Size
5.0MB
-
MD5
4af86c6c774337fab08e425232aa046d
-
SHA1
3d496391ade070cc84b0db60c96bbacef6489934
-
SHA256
44e7f44b6edf55d6a96cf66d9d75f65acc9cd2db54760e20729d5d9d09877537
-
SHA512
5fcf35d5f052f00773e19a152cef794f84a5a8671b3fc7770a2a435775144ea11720bd2ebfc3f142cafd9bf8251d153155e3be2a44615d5de62ee3824286d1d6
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1277) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1628 mssecsvc.exe 1716 mssecsvc.exe 1512 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1800 wrote to memory of 896 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 896 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 896 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 896 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 896 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 896 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 896 1800 rundll32.exe rundll32.exe PID 896 wrote to memory of 1628 896 rundll32.exe mssecsvc.exe PID 896 wrote to memory of 1628 896 rundll32.exe mssecsvc.exe PID 896 wrote to memory of 1628 896 rundll32.exe mssecsvc.exe PID 896 wrote to memory of 1628 896 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\44e7f44b6edf55d6a96cf66d9d75f65acc9cd2db54760e20729d5d9d09877537.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\44e7f44b6edf55d6a96cf66d9d75f65acc9cd2db54760e20729d5d9d09877537.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5cb7a9129ae6518f3f378d672229052f0
SHA126e4d0fba843167a28b1e8db9046ef6b4c553659
SHA25614460c2734302669df5ac4fdf91560b4bf093c842d186091d02a29fa5ffa2d4b
SHA512dc3d5489a6d290c516d5cc93c07e70be2a3d0f47f34e3b0515e11a502951c3e3995cdd533d0397f30128a0f2032247c17a87e3cfd630f37e428d60258c557fd4
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cb7a9129ae6518f3f378d672229052f0
SHA126e4d0fba843167a28b1e8db9046ef6b4c553659
SHA25614460c2734302669df5ac4fdf91560b4bf093c842d186091d02a29fa5ffa2d4b
SHA512dc3d5489a6d290c516d5cc93c07e70be2a3d0f47f34e3b0515e11a502951c3e3995cdd533d0397f30128a0f2032247c17a87e3cfd630f37e428d60258c557fd4
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cb7a9129ae6518f3f378d672229052f0
SHA126e4d0fba843167a28b1e8db9046ef6b4c553659
SHA25614460c2734302669df5ac4fdf91560b4bf093c842d186091d02a29fa5ffa2d4b
SHA512dc3d5489a6d290c516d5cc93c07e70be2a3d0f47f34e3b0515e11a502951c3e3995cdd533d0397f30128a0f2032247c17a87e3cfd630f37e428d60258c557fd4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5406f9ceecb41efc50fdf702de6814eb1
SHA10dd973d6250f0365446f5daeefd3147eb1b7b1c0
SHA25681f39955fec2ad2ca51c12acfe24222a86c46ddcc85ed73d99081891130c244f
SHA512f37b16cbf6888f6b58aa6577d9b578d7ac125c1d4221e82bdf8aea3347469c8cf13fcefb41fa5db25629312be31c1ea39302a8ef2cbb99edb5734163c2bf1820
-
memory/896-54-0x0000000000000000-mapping.dmp
-
memory/896-55-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/1628-56-0x0000000000000000-mapping.dmp