Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:28
Static task
static1
Behavioral task
behavioral1
Sample
e46efeb5217e2d4bc9b9d28bcf80f3b6.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
e46efeb5217e2d4bc9b9d28bcf80f3b6.dll
Resource
win10v2004-20220414-en
General
-
Target
e46efeb5217e2d4bc9b9d28bcf80f3b6.dll
-
Size
5.0MB
-
MD5
e46efeb5217e2d4bc9b9d28bcf80f3b6
-
SHA1
1a42ab2977b67967a3cbdc0ace3ababd76d049b5
-
SHA256
226b3f09c308afa4dd4643ce807ceb8214bfe0e4238be6a776f31acd9cbeaf21
-
SHA512
41244f203bc5d206e5d7b81bcc619860e7abbdc448b9c5b5e5b02dd344613eaa70d2e3f22008468437b29501f968226aacd946b4212cb1c0eccb5de0ca4c7982
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1303) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1968 mssecsvc.exe 1652 mssecsvc.exe 1596 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 2004 wrote to memory of 1148 2004 rundll32.exe rundll32.exe PID 1148 wrote to memory of 1968 1148 rundll32.exe mssecsvc.exe PID 1148 wrote to memory of 1968 1148 rundll32.exe mssecsvc.exe PID 1148 wrote to memory of 1968 1148 rundll32.exe mssecsvc.exe PID 1148 wrote to memory of 1968 1148 rundll32.exe mssecsvc.exe PID 1968 wrote to memory of 1596 1968 mssecsvc.exe tasksche.exe PID 1968 wrote to memory of 1596 1968 mssecsvc.exe tasksche.exe PID 1968 wrote to memory of 1596 1968 mssecsvc.exe tasksche.exe PID 1968 wrote to memory of 1596 1968 mssecsvc.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e46efeb5217e2d4bc9b9d28bcf80f3b6.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e46efeb5217e2d4bc9b9d28bcf80f3b6.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1596
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5fa5998e94530ad9f75734f4a33e47b59
SHA1302b9ec84a6c783fdcecb5a013bdb39770d533a1
SHA25602c77661bf747f40ee9979dbd44885df8b337b9e4a546f385855343ba5a92c5c
SHA512466cb61e6bbf06b612f924e818e9a0101ae72cda214ded01175b9396a7d379efc17e5115c3c1babcd85656324a7b284acfa622e140714863ba8376150850062b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fa5998e94530ad9f75734f4a33e47b59
SHA1302b9ec84a6c783fdcecb5a013bdb39770d533a1
SHA25602c77661bf747f40ee9979dbd44885df8b337b9e4a546f385855343ba5a92c5c
SHA512466cb61e6bbf06b612f924e818e9a0101ae72cda214ded01175b9396a7d379efc17e5115c3c1babcd85656324a7b284acfa622e140714863ba8376150850062b
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fa5998e94530ad9f75734f4a33e47b59
SHA1302b9ec84a6c783fdcecb5a013bdb39770d533a1
SHA25602c77661bf747f40ee9979dbd44885df8b337b9e4a546f385855343ba5a92c5c
SHA512466cb61e6bbf06b612f924e818e9a0101ae72cda214ded01175b9396a7d379efc17e5115c3c1babcd85656324a7b284acfa622e140714863ba8376150850062b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51fa618bc1133f2933c5fb144de693db1
SHA1c5489b50f7816213d62f8a7bc5c3fd56ee36351f
SHA2564c3932c024d000297e5dd33567e8fa05ebd42defbd4d63423106b4e686696962
SHA512a9de952fa3b59f5eef0b1673faff07b324803730096047dbeac1e24837dd6469e6d7cd1aa7d2cf56f0194a5d2e37ea2bfab0749d52ac00e3a0b12299f935a324
-
memory/1148-54-0x0000000000000000-mapping.dmp
-
memory/1148-55-0x00000000765D1000-0x00000000765D3000-memory.dmpFilesize
8KB
-
memory/1596-63-0x0000000000000000-mapping.dmp
-
memory/1652-66-0x0000000000400000-0x0000000000A70000-memory.dmpFilesize
6.4MB
-
memory/1652-67-0x0000000000400000-0x0000000000A70000-memory.dmpFilesize
6.4MB
-
memory/1968-56-0x0000000000000000-mapping.dmp
-
memory/1968-59-0x0000000000400000-0x0000000000A70000-memory.dmpFilesize
6.4MB
-
memory/1968-65-0x0000000000400000-0x0000000000A70000-memory.dmpFilesize
6.4MB