Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:15
Static task
static1
Behavioral task
behavioral1
Sample
a37575f6c05279836ea85b8b4a3bd9bf.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a37575f6c05279836ea85b8b4a3bd9bf.dll
Resource
win10v2004-20220718-en
General
-
Target
a37575f6c05279836ea85b8b4a3bd9bf.dll
-
Size
5.0MB
-
MD5
a37575f6c05279836ea85b8b4a3bd9bf
-
SHA1
cc9df61a7a5b1793bd1df43b97fb3227f0efac5d
-
SHA256
f72d753cc258c7db1afff98235715b9b0824550009dc63090593ce078793ee84
-
SHA512
64a3e3077fc7112c3d04deb876bcf22291be1f3f5bb0fd2a3bc1c359acf73460944fe7762cc1013527ed02b3613d607cbb681eeb6b417bf7d306d2602c867257
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1278) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1308 mssecsvc.exe 1836 mssecsvc.exe 1656 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1148 wrote to memory of 1492 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1492 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1492 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1492 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1492 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1492 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1492 1148 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1308 1492 rundll32.exe mssecsvc.exe PID 1492 wrote to memory of 1308 1492 rundll32.exe mssecsvc.exe PID 1492 wrote to memory of 1308 1492 rundll32.exe mssecsvc.exe PID 1492 wrote to memory of 1308 1492 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a37575f6c05279836ea85b8b4a3bd9bf.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a37575f6c05279836ea85b8b4a3bd9bf.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5cc84aa24c70fccff015245e1869ee303
SHA161995e9dfb9498bd25eae1b89f164bf13c916226
SHA25669981afd3830dedfbb88cd8d455fd5da827bf19ca43f2b98bfabba5782f77116
SHA512bcc32dc3e842327b9ec0b8595e55e5e5e3c4c12ea619ad13b025e4ed0d93e2623e69409a3907d698902953d8c0a8197a68a449e142677b0cb07543bb73f6e87b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cc84aa24c70fccff015245e1869ee303
SHA161995e9dfb9498bd25eae1b89f164bf13c916226
SHA25669981afd3830dedfbb88cd8d455fd5da827bf19ca43f2b98bfabba5782f77116
SHA512bcc32dc3e842327b9ec0b8595e55e5e5e3c4c12ea619ad13b025e4ed0d93e2623e69409a3907d698902953d8c0a8197a68a449e142677b0cb07543bb73f6e87b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cc84aa24c70fccff015245e1869ee303
SHA161995e9dfb9498bd25eae1b89f164bf13c916226
SHA25669981afd3830dedfbb88cd8d455fd5da827bf19ca43f2b98bfabba5782f77116
SHA512bcc32dc3e842327b9ec0b8595e55e5e5e3c4c12ea619ad13b025e4ed0d93e2623e69409a3907d698902953d8c0a8197a68a449e142677b0cb07543bb73f6e87b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5136381d43e5f843573a4af4e5bd7e299
SHA133e06cb688675503f5c28f9a08315b917eb2fbcf
SHA2564aa536befc581d2e2de8300ba184f287734d7269d5319e33574be3670c10d118
SHA512bce01deebc21faa592b8acf8e2bca215033d419cbb1d292ab6ad400dacd2d32c51125c53182f44dfb1dc9ab0af515e4093df74e739428fbca963c758d2c343fa
-
memory/1308-56-0x0000000000000000-mapping.dmp
-
memory/1492-54-0x0000000000000000-mapping.dmp
-
memory/1492-55-0x00000000750B1000-0x00000000750B3000-memory.dmpFilesize
8KB