Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 00:23
Static task
static1
Behavioral task
behavioral1
Sample
2a3576b7a781ed83ef73954c33b235f9.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2a3576b7a781ed83ef73954c33b235f9.dll
Resource
win10v2004-20220718-en
General
-
Target
2a3576b7a781ed83ef73954c33b235f9.dll
-
Size
5.0MB
-
MD5
2a3576b7a781ed83ef73954c33b235f9
-
SHA1
89da95dd1f288ad96ed5e79907bd7eeb1e5af63f
-
SHA256
c8db12d4e1b926b79ef7857e91b34e909b8024c3eaaab8580e4e1d157eaa726f
-
SHA512
4cdd8839a5efbdff79a6fb44abc7e8f934d6ac50b63838a149e3635ff398bb28424375340c3b756fb1400382680a3a702d00cd38756e0be1815292645ca78db1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1267) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2008 mssecsvc.exe 1228 mssecsvc.exe 1716 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 884 wrote to memory of 1044 884 rundll32.exe rundll32.exe PID 884 wrote to memory of 1044 884 rundll32.exe rundll32.exe PID 884 wrote to memory of 1044 884 rundll32.exe rundll32.exe PID 884 wrote to memory of 1044 884 rundll32.exe rundll32.exe PID 884 wrote to memory of 1044 884 rundll32.exe rundll32.exe PID 884 wrote to memory of 1044 884 rundll32.exe rundll32.exe PID 884 wrote to memory of 1044 884 rundll32.exe rundll32.exe PID 1044 wrote to memory of 2008 1044 rundll32.exe mssecsvc.exe PID 1044 wrote to memory of 2008 1044 rundll32.exe mssecsvc.exe PID 1044 wrote to memory of 2008 1044 rundll32.exe mssecsvc.exe PID 1044 wrote to memory of 2008 1044 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3576b7a781ed83ef73954c33b235f9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3576b7a781ed83ef73954c33b235f9.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2008 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1716
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1228
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD50f9632795175be3e6c78137870eee044
SHA1b8d48e7f0f3410424d42f8f6b706086260731017
SHA256329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba
SHA512a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50f9632795175be3e6c78137870eee044
SHA1b8d48e7f0f3410424d42f8f6b706086260731017
SHA256329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba
SHA512a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50f9632795175be3e6c78137870eee044
SHA1b8d48e7f0f3410424d42f8f6b706086260731017
SHA256329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba
SHA512a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a089e2e733a58751cab58ba261acc543
SHA15dfeb7e02d81bf5eb545c8993e49d48853ab30a9
SHA25606a24b8386dfff1fa844846aafd8d9c5fda5c5687a84a3b53ffaf62d995498e3
SHA512c5d924b45790f4687fddaf5bbb44200fd10d4016cc482cc9abff00f3ef725d6155f95a7934c81178bb5dde82ce8af93a2540cedfda0d7b3d7d90dce242268cb7
-
memory/1044-54-0x0000000000000000-mapping.dmp
-
memory/1044-55-0x0000000075C41000-0x0000000075C43000-memory.dmpFilesize
8KB
-
memory/1228-61-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB
-
memory/1228-66-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB
-
memory/2008-56-0x0000000000000000-mapping.dmp
-
memory/2008-62-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB
-
memory/2008-65-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB