Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 01:52
Static task
static1
Behavioral task
behavioral1
Sample
e7d34dcaf52c8e815649c20826a9db19.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
e7d34dcaf52c8e815649c20826a9db19.dll
Resource
win10v2004-20220414-en
General
-
Target
e7d34dcaf52c8e815649c20826a9db19.dll
-
Size
5.0MB
-
MD5
e7d34dcaf52c8e815649c20826a9db19
-
SHA1
d7385a7ee07704bd48b39dfcc925f7a9013c8e47
-
SHA256
20f3289d1af36f3017c94a2fa2485707ae2d8c0e5159f287761b68c5c275d82f
-
SHA512
47abed504848334db20ac6d13111ebb19af2c038ccf5bae0acf6700e24ab3ee6ab841e0b790d7da576448649e5df7c15f1bd6ef515b2005eea9a7d71db6a64e1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1281) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2028 mssecsvc.exe 1004 mssecsvc.exe 1548 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1988 wrote to memory of 2024 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2024 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2024 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2024 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2024 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2024 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2024 1988 rundll32.exe rundll32.exe PID 2024 wrote to memory of 2028 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2028 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2028 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2028 2024 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e7d34dcaf52c8e815649c20826a9db19.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e7d34dcaf52c8e815649c20826a9db19.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1548
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD512352a4c133aea766b92316745491372
SHA1312b4a72998344757f7f3001eb78e8ac86263240
SHA2567b4ff05059a3557982c9f79a3ed5d362ee7516ff2b97c28e3f371a69718d64d0
SHA5120d91d20d34675c2e5d2d0909b7b88c324fd394405c65070069e96fcb190f571a8035ce87f5cc0e22947621be0652e3638374c5c8f72939d95e3619a90d0baf39
-
Filesize
3.6MB
MD512352a4c133aea766b92316745491372
SHA1312b4a72998344757f7f3001eb78e8ac86263240
SHA2567b4ff05059a3557982c9f79a3ed5d362ee7516ff2b97c28e3f371a69718d64d0
SHA5120d91d20d34675c2e5d2d0909b7b88c324fd394405c65070069e96fcb190f571a8035ce87f5cc0e22947621be0652e3638374c5c8f72939d95e3619a90d0baf39
-
Filesize
3.6MB
MD512352a4c133aea766b92316745491372
SHA1312b4a72998344757f7f3001eb78e8ac86263240
SHA2567b4ff05059a3557982c9f79a3ed5d362ee7516ff2b97c28e3f371a69718d64d0
SHA5120d91d20d34675c2e5d2d0909b7b88c324fd394405c65070069e96fcb190f571a8035ce87f5cc0e22947621be0652e3638374c5c8f72939d95e3619a90d0baf39
-
Filesize
3.4MB
MD50973d939cc82d272c530ad5f4c97a429
SHA1fe154b3a193495a77f213691cd6e1b515605dfc4
SHA256b07d69c48ff86cc4efafe2ea42ac0b5d5971233f92de7325459fd6b4256fcfe0
SHA5126e80c968758853cfd7c10502095958eac89cae2bdde9cee297ed060554669029c8f8bf4364ee0a5f3e239f898d9a87848627b86adb1d14c59754743577d88ffe