Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
28e2252bcdfe3239f1db3759e80e9ad0.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
28e2252bcdfe3239f1db3759e80e9ad0.dll
Resource
win10v2004-20220414-en
General
-
Target
28e2252bcdfe3239f1db3759e80e9ad0.dll
-
Size
5.0MB
-
MD5
28e2252bcdfe3239f1db3759e80e9ad0
-
SHA1
a24337038589cc514d08fd43beb66fb5d33ea32d
-
SHA256
0b6e9d6b978adda20feed22f0be3a01ad87e5a73aac915a0a8cb8d9837863701
-
SHA512
0aee17fda834f85cf1683869a29a3d0b797df5e817f3a5109cc1472e95601c8400e097506319c5ac51bc35b0d9105c2eca0a26e4c69bdd928b83f6035c583c7b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1311) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1820 mssecsvc.exe 1232 mssecsvc.exe 1980 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1432 wrote to memory of 1532 1432 rundll32.exe rundll32.exe PID 1532 wrote to memory of 1820 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 1820 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 1820 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 1820 1532 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28e2252bcdfe3239f1db3759e80e9ad0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28e2252bcdfe3239f1db3759e80e9ad0.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e95af9f80a0938de263d0bd2a57ad6d6
SHA1b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5
SHA25628499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18
SHA5123126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e95af9f80a0938de263d0bd2a57ad6d6
SHA1b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5
SHA25628499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18
SHA5123126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e95af9f80a0938de263d0bd2a57ad6d6
SHA1b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5
SHA25628499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18
SHA5123126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD500bc8d99be794121a7a3a2ad7501994e
SHA13c34dcddde8ff946e28df8ee2f4cb3bede39670f
SHA25665214ab0eb6a0e410048c74e5f99ba3e75a500562a9e804a3096f65f9fa16257
SHA512770ba1db33936f1471d8f331f725853ae1196aa2c589cfeaa107054d97674d485b44c4fd1edd34d4001f4037ade78fdd517fa12353a9982a859b182f23d3d400
-
memory/1532-54-0x0000000000000000-mapping.dmp
-
memory/1532-55-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB
-
memory/1820-56-0x0000000000000000-mapping.dmp