Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:13
Static task
static1
Behavioral task
behavioral1
Sample
bbe2afa97b110302be0e9e52be6d6f64.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
bbe2afa97b110302be0e9e52be6d6f64.dll
Resource
win10v2004-20220718-en
General
-
Target
bbe2afa97b110302be0e9e52be6d6f64.dll
-
Size
5.0MB
-
MD5
bbe2afa97b110302be0e9e52be6d6f64
-
SHA1
e46ddb727ba325e31940cccb1b36d385aed7a716
-
SHA256
178fe955a6c0412daaf5a36485281a168ab40df284b451dad6c84043a6a5c0d6
-
SHA512
c42ad5ed9e8a61ef54c23be342101bf443cd155a5975ada6f253254491efad9d630664fc932ae9e6d5f86c58011998931076003b0ad50d6eb5ccd0944ad9fa83
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1403) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1116 mssecsvc.exe 1936 mssecsvc.exe 1904 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2000 wrote to memory of 988 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 988 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 988 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 988 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 988 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 988 2000 rundll32.exe rundll32.exe PID 2000 wrote to memory of 988 2000 rundll32.exe rundll32.exe PID 988 wrote to memory of 1116 988 rundll32.exe mssecsvc.exe PID 988 wrote to memory of 1116 988 rundll32.exe mssecsvc.exe PID 988 wrote to memory of 1116 988 rundll32.exe mssecsvc.exe PID 988 wrote to memory of 1116 988 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbe2afa97b110302be0e9e52be6d6f64.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbe2afa97b110302be0e9e52be6d6f64.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5ee521250e09469441951e0525349070b
SHA130c0f52ced45273a2eb4c425aa2537f2cf0434c2
SHA256273685e728bd39d0597f32579dc98262dee0811dbf3cc69e109face6f898e1f3
SHA512b8dab73a2a6b6977138b2c78cbcab54c87d63b6eb80bd20cbf46df36611099bd11018d863c541aa8e2f50a4935f1dcc374dd765dc9b8e72b2d4d23ba9dc64c42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ee521250e09469441951e0525349070b
SHA130c0f52ced45273a2eb4c425aa2537f2cf0434c2
SHA256273685e728bd39d0597f32579dc98262dee0811dbf3cc69e109face6f898e1f3
SHA512b8dab73a2a6b6977138b2c78cbcab54c87d63b6eb80bd20cbf46df36611099bd11018d863c541aa8e2f50a4935f1dcc374dd765dc9b8e72b2d4d23ba9dc64c42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ee521250e09469441951e0525349070b
SHA130c0f52ced45273a2eb4c425aa2537f2cf0434c2
SHA256273685e728bd39d0597f32579dc98262dee0811dbf3cc69e109face6f898e1f3
SHA512b8dab73a2a6b6977138b2c78cbcab54c87d63b6eb80bd20cbf46df36611099bd11018d863c541aa8e2f50a4935f1dcc374dd765dc9b8e72b2d4d23ba9dc64c42
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f75ccfcc8fde211afcd7c0fbb87d3b74
SHA123b4793ab44814c53cc0f86e10978b1ac09236c4
SHA2560e789b3bd7a770c0c77c354bd5b848cffaf38f1ffde622cb5b47cda14c59b2a2
SHA51243c81a0bbbcf54eb84c11f4ba886a3e118e02570995ab6861d3e7a4784e88dca783f5c3a80d8be97c47a442c244ad1f557d5fcd637f2347acfd0a7c1e6c4c3b3
-
memory/988-54-0x0000000000000000-mapping.dmp
-
memory/988-55-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/1116-56-0x0000000000000000-mapping.dmp