Analysis
-
max time kernel
151s -
max time network
178s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
19-07-2022 18:44
Static task
static1
Behavioral task
behavioral1
Sample
c27ecb1de9ca748605af567237eeed4f.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
c27ecb1de9ca748605af567237eeed4f.dll
Resource
win10v2004-20220718-en
General
-
Target
c27ecb1de9ca748605af567237eeed4f.dll
-
Size
5.0MB
-
MD5
c27ecb1de9ca748605af567237eeed4f
-
SHA1
f3b0fed4b1ba6da067663fed061d1ba03c883ab4
-
SHA256
d6cb63f23b784915ebd8ac1b195c46251fa1241b324beb99a61d7c4ba27ea99b
-
SHA512
97b1e363a8a8685d796aa87d65f219a8b41713bc8927e3bf05405741659a097008bce261b8746b1d63faf5516ee3ac0a283fbdc7f17060e16617237150c8ebae
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1195) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1140 mssecsvc.exe 1928 mssecsvc.exe 2032 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1632 wrote to memory of 1944 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1944 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1944 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1944 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1944 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1944 1632 rundll32.exe rundll32.exe PID 1632 wrote to memory of 1944 1632 rundll32.exe rundll32.exe PID 1944 wrote to memory of 1140 1944 rundll32.exe mssecsvc.exe PID 1944 wrote to memory of 1140 1944 rundll32.exe mssecsvc.exe PID 1944 wrote to memory of 1140 1944 rundll32.exe mssecsvc.exe PID 1944 wrote to memory of 1140 1944 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c27ecb1de9ca748605af567237eeed4f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c27ecb1de9ca748605af567237eeed4f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD558307b57d8768dd4392b17dc94261221
SHA17c972e40f96b3980f9e012a7c6db243d3a35f834
SHA256d21081d828e9cbf42d91850ccf4a6acef2be17892528987392f5a16bf84e99f1
SHA51205dc925cf6dfbfec780326791418c31986765d83d43818d1d9a5d3d37d2bbe7f4d374c63d888f0346797bb933052c6bf2ec275cea8beda4e87e754a29f3e5c5d
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD558307b57d8768dd4392b17dc94261221
SHA17c972e40f96b3980f9e012a7c6db243d3a35f834
SHA256d21081d828e9cbf42d91850ccf4a6acef2be17892528987392f5a16bf84e99f1
SHA51205dc925cf6dfbfec780326791418c31986765d83d43818d1d9a5d3d37d2bbe7f4d374c63d888f0346797bb933052c6bf2ec275cea8beda4e87e754a29f3e5c5d
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD558307b57d8768dd4392b17dc94261221
SHA17c972e40f96b3980f9e012a7c6db243d3a35f834
SHA256d21081d828e9cbf42d91850ccf4a6acef2be17892528987392f5a16bf84e99f1
SHA51205dc925cf6dfbfec780326791418c31986765d83d43818d1d9a5d3d37d2bbe7f4d374c63d888f0346797bb933052c6bf2ec275cea8beda4e87e754a29f3e5c5d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD547a2a3ed83a3e4b42b339434b8d7795b
SHA16bf51b555fe4784326d2c0bff717d228b5789311
SHA256eb5b0fa26712e678240a0c7fe2fdbb218763ad6b7b8b757d25dab9c5d2879d84
SHA512fe487c6ed2ac7b9380e6d2abea5f7002c423bd4ae5ebec22c94622a62629b259905e21a80e7412e7a5583af299fa10def210f6f6c3c295e838636f885fa77014
-
memory/1140-56-0x0000000000000000-mapping.dmp
-
memory/1944-54-0x0000000000000000-mapping.dmp
-
memory/1944-55-0x0000000076871000-0x0000000076873000-memory.dmpFilesize
8KB