Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:30
Static task
static1
Behavioral task
behavioral1
Sample
5bdd9c4ee845c748d53c9ceb87bb1552.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
5bdd9c4ee845c748d53c9ceb87bb1552.dll
Resource
win10v2004-20220718-en
General
-
Target
5bdd9c4ee845c748d53c9ceb87bb1552.dll
-
Size
5.0MB
-
MD5
5bdd9c4ee845c748d53c9ceb87bb1552
-
SHA1
6363c1c24ceae061fe847d470ad6a57df65eecbf
-
SHA256
01354b983b9fdd062a07bc81eba06d4ba422a04417577f61949f4cbfef767777
-
SHA512
4e737e3b9db8a8506aab1eb9d2329d3ceb8ceba53e82be4e71ddbfb09303674b5c51cbba16751d85548f734e88b7bfcab6b89d1bac1947d4ede9496e27285772
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1340) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 892 mssecsvc.exe 1316 mssecsvc.exe 1272 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 880 wrote to memory of 1032 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 1032 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 1032 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 1032 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 1032 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 1032 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 1032 880 rundll32.exe rundll32.exe PID 1032 wrote to memory of 892 1032 rundll32.exe mssecsvc.exe PID 1032 wrote to memory of 892 1032 rundll32.exe mssecsvc.exe PID 1032 wrote to memory of 892 1032 rundll32.exe mssecsvc.exe PID 1032 wrote to memory of 892 1032 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bdd9c4ee845c748d53c9ceb87bb1552.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bdd9c4ee845c748d53c9ceb87bb1552.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:892 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1272
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1316
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e4ef070dfda1d4e450ab4e265dea180b
SHA1389470aed220164ea7bed86f26f29257927024e0
SHA25623859f861f1e598a86208b5e0f953d27797b6375ab510a11217a15d046af94fc
SHA51204e3c200b5f4f5c05c88a3325f1af049b3666b2583fa37b3a052c9faf48c8e51ba035ae8b23259e8eaa02db5f64d47639532f247a3ff5a13a0a6943dfbf171e5
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e4ef070dfda1d4e450ab4e265dea180b
SHA1389470aed220164ea7bed86f26f29257927024e0
SHA25623859f861f1e598a86208b5e0f953d27797b6375ab510a11217a15d046af94fc
SHA51204e3c200b5f4f5c05c88a3325f1af049b3666b2583fa37b3a052c9faf48c8e51ba035ae8b23259e8eaa02db5f64d47639532f247a3ff5a13a0a6943dfbf171e5
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e4ef070dfda1d4e450ab4e265dea180b
SHA1389470aed220164ea7bed86f26f29257927024e0
SHA25623859f861f1e598a86208b5e0f953d27797b6375ab510a11217a15d046af94fc
SHA51204e3c200b5f4f5c05c88a3325f1af049b3666b2583fa37b3a052c9faf48c8e51ba035ae8b23259e8eaa02db5f64d47639532f247a3ff5a13a0a6943dfbf171e5
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5512093b85c83e87660d166d86df3afa4
SHA15003859020e4b750412d954b0473e35804510fde
SHA2563b4a2069539a79d05fe257956560b8a6d7f27041c6d18cf5351bc3c2b8e21945
SHA51269a0551e2e05befccf82f2f3a7b219990ec05a386980a8c1215c2760753252c8a8e35a79bb1573dcf21ef61669ceecb9cf3594bd64f6b10077b3378dfd1b34ba
-
memory/892-56-0x0000000000000000-mapping.dmp
-
memory/1032-54-0x0000000000000000-mapping.dmp
-
memory/1032-55-0x00000000762D1000-0x00000000762D3000-memory.dmpFilesize
8KB