Overview

overview

10

Static

static

1ee069455e...2c.dll

windows7-x64

10

1ee069455e...2c.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2022 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ee069455ec3b2de5eaefe54a536962c.dll

  • Size

    5.0MB

  • MD5

    1ee069455ec3b2de5eaefe54a536962c

  • SHA1

    6b3e9bd6122e40ee69d3bd441213fc1505c0d419

  • SHA256

    bf9b8a89148553fa0da5d2270bf7db0b5482df6517867410fead18192d5135a1

  • SHA512

    f021b5820e4a89608e87e1ce050fe2fa28b7930492bdb7823389e590f94988c967849abc6615a8c66c337a3f31df9a8bfddee6bf9e43ff497f93c57ec5cef6b9

Score
10/10
wannacrydiscoveryevasionransomwareworm

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3247) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:672
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
        PID:612
        • C:\Windows\system32\fontdrvhost.exe
          "fontdrvhost.exe"
          2⤵
            PID:788
          • C:\Windows\system32\dwm.exe
            "dwm.exe"
            2⤵
              PID:312
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k DcomLaunch -p
            1⤵
              PID:780
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                2⤵
                  PID:3232
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  2⤵
                    PID:3412
                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                    2⤵
                      PID:3340
                    • C:\Windows\system32\wbem\wmiprvse.exe
                      C:\Windows\system32\wbem\wmiprvse.exe
                      2⤵
                        PID:3460
                      • C:\Windows\system32\SppExtComObj.exe
                        C:\Windows\system32\SppExtComObj.exe -Embedding
                        2⤵
                          PID:1272
                        • C:\Windows\System32\RuntimeBroker.exe
                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                          2⤵
                            PID:4232
                          • C:\Windows\system32\DllHost.exe
                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                            2⤵
                              PID:3112
                            • C:\Windows\System32\RuntimeBroker.exe
                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                              2⤵
                                PID:3788
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                2⤵
                                  PID:3512
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS -p
                                1⤵
                                  PID:900
                                • C:\Windows\System32\svchost.exe
                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                  1⤵
                                    PID:868
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                    1⤵
                                      PID:1124
                                      • C:\Windows\system32\taskhostw.exe
                                        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                                        2⤵
                                          PID:2460
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                        1⤵
                                          PID:1620
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                          1⤵
                                            PID:1776
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                            1⤵
                                              PID:1944
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                              1⤵
                                                PID:2116
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                1⤵
                                                  PID:2472
                                                • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                  "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                  1⤵
                                                    PID:2680
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                    1⤵
                                                      PID:2764
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                      1⤵
                                                        PID:1260
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                        1⤵
                                                          PID:1160
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                          1⤵
                                                            PID:4284
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                            1⤵
                                                              PID:1608
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                              1⤵
                                                                PID:3152
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                1⤵
                                                                  PID:2112
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                  1⤵
                                                                    PID:2760
                                                                  • C:\Windows\Explorer.EXE
                                                                    C:\Windows\Explorer.EXE
                                                                    1⤵
                                                                      PID:3044
                                                                      • C:\Windows\system32\rundll32.exe
                                                                        rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ee069455ec3b2de5eaefe54a536962c.dll,#1
                                                                        2⤵
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:4100
                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                          rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ee069455ec3b2de5eaefe54a536962c.dll,#1
                                                                          3⤵
                                                                          • Drops file in Windows directory
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:2980
                                                                          • C:\WINDOWS\mssecsvc.exe
                                                                            C:\WINDOWS\mssecsvc.exe
                                                                            4⤵
                                                                            • Modifies firewall policy service
                                                                            • Drops file in Drivers directory
                                                                            • Executes dropped EXE
                                                                            • Drops file in Windows directory
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:4276
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 1440
                                                                              5⤵
                                                                              • Program crash
                                                                              PID:2036
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                      1⤵
                                                                        PID:2772
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                        1⤵
                                                                          PID:2752
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                          1⤵
                                                                            PID:2740
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                            1⤵
                                                                              PID:2688
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                              1⤵
                                                                                PID:2484
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                                1⤵
                                                                                  PID:2344
                                                                                • C:\Windows\system32\sihost.exe
                                                                                  sihost.exe
                                                                                  1⤵
                                                                                    PID:2332
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                                    1⤵
                                                                                      PID:2088
                                                                                    • C:\Windows\System32\spoolsv.exe
                                                                                      C:\Windows\System32\spoolsv.exe
                                                                                      1⤵
                                                                                        PID:1732
                                                                                      • C:\Windows\System32\svchost.exe
                                                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                                        1⤵
                                                                                          PID:1672
                                                                                        • C:\Windows\System32\svchost.exe
                                                                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                                          1⤵
                                                                                            PID:1996
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                                                            1⤵
                                                                                              PID:1936
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                                              1⤵
                                                                                                PID:1928
                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                                                                1⤵
                                                                                                  PID:1804
                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                                                                  1⤵
                                                                                                    PID:1684
                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                                                                    1⤵
                                                                                                      PID:1628
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                                                                      1⤵
                                                                                                        PID:1576
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                                                                        1⤵
                                                                                                          PID:1544
                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                                                                          1⤵
                                                                                                            PID:1452
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                                                                            1⤵
                                                                                                              PID:1436
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                                                                              1⤵
                                                                                                                PID:1428
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                                1⤵
                                                                                                                  PID:1300
                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                                                                                  1⤵
                                                                                                                    PID:1288
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                                                                                    1⤵
                                                                                                                      PID:1236
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                                      1⤵
                                                                                                                        PID:1184
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                                                                                        1⤵
                                                                                                                          PID:1060
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                          1⤵
                                                                                                                            PID:1048
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                                            1⤵
                                                                                                                              PID:916
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                                              1⤵
                                                                                                                                PID:404
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                                                                                                1⤵
                                                                                                                                  PID:948
                                                                                                                                • C:\Windows\system32\fontdrvhost.exe
                                                                                                                                  "fontdrvhost.exe"
                                                                                                                                  1⤵
                                                                                                                                    PID:796
                                                                                                                                  • C:\WINDOWS\mssecsvc.exe
                                                                                                                                    C:\WINDOWS\mssecsvc.exe -m security
                                                                                                                                    1⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                    PID:3820
                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4276 -ip 4276
                                                                                                                                    1⤵
                                                                                                                                      PID:4640

                                                                                                                                    Network

                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • C:\WINDOWS\mssecsvc.exe
                                                                                                                                      Filesize

                                                                                                                                      3.6MB

                                                                                                                                      MD5

                                                                                                                                      da038e473c9e29b33ef48e73843a039b

                                                                                                                                      SHA1

                                                                                                                                      2168c668eb8df4173a3a60214297d1818f6a4363

                                                                                                                                      SHA256

                                                                                                                                      2266e75d65b3f2117f2c72eabb9251ca53f01990ee6321499181282d31acd1b8

                                                                                                                                      SHA512

                                                                                                                                      d6be08f350099e8686459f9a35b3669a5c47fb36078bf71a726d1dbe552d1cdf12a0f3743b027f40220a38503c5fdabbef163e1c413672c08b9930bb71c41f7f

                                                                                                                                      Download Submit
                                                                                                                                    • C:\Windows\mssecsvc.exe
                                                                                                                                      Filesize

                                                                                                                                      3.6MB

                                                                                                                                      MD5

                                                                                                                                      da038e473c9e29b33ef48e73843a039b

                                                                                                                                      SHA1

                                                                                                                                      2168c668eb8df4173a3a60214297d1818f6a4363

                                                                                                                                      SHA256

                                                                                                                                      2266e75d65b3f2117f2c72eabb9251ca53f01990ee6321499181282d31acd1b8

                                                                                                                                      SHA512

                                                                                                                                      d6be08f350099e8686459f9a35b3669a5c47fb36078bf71a726d1dbe552d1cdf12a0f3743b027f40220a38503c5fdabbef163e1c413672c08b9930bb71c41f7f

                                                                                                                                      Download Submit
                                                                                                                                    • C:\Windows\mssecsvc.exe
                                                                                                                                      Filesize

                                                                                                                                      3.6MB

                                                                                                                                      MD5

                                                                                                                                      da038e473c9e29b33ef48e73843a039b

                                                                                                                                      SHA1

                                                                                                                                      2168c668eb8df4173a3a60214297d1818f6a4363

                                                                                                                                      SHA256

                                                                                                                                      2266e75d65b3f2117f2c72eabb9251ca53f01990ee6321499181282d31acd1b8

                                                                                                                                      SHA512

                                                                                                                                      d6be08f350099e8686459f9a35b3669a5c47fb36078bf71a726d1dbe552d1cdf12a0f3743b027f40220a38503c5fdabbef163e1c413672c08b9930bb71c41f7f

                                                                                                                                      Download Submit
                                                                                                                                    • memory/2980-130-0x0000000000000000-mapping.dmp
                                                                                                                                      Download
                                                                                                                                    • memory/3820-136-0x0000000000400000-0x0000000000A73000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      6.4MB

                                                                                                                                      Download
                                                                                                                                    • memory/3820-140-0x0000000000400000-0x0000000000A73000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      6.4MB

                                                                                                                                      Download
                                                                                                                                    • memory/4276-131-0x0000000000000000-mapping.dmp
                                                                                                                                      Download
                                                                                                                                    • memory/4276-134-0x0000000000400000-0x0000000000A73000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      6.4MB

                                                                                                                                      Download
                                                                                                                                    • memory/4276-137-0x000000007FE30000-0x000000007FE3C000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      48KB

                                                                                                                                      Download
                                                                                                                                    • memory/4276-139-0x000000007FE30000-0x000000007FE3C000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      48KB

                                                                                                                                      Download
                                                                                                                                    • memory/4276-138-0x0000000000400000-0x0000000000A73000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      6.4MB

                                                                                                                                      Download