Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 02:01
Static task
static1
Behavioral task
behavioral1
Sample
4ba3d5e67d65dd85838c6460add04f93.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4ba3d5e67d65dd85838c6460add04f93.dll
Resource
win10v2004-20220718-en
General
-
Target
4ba3d5e67d65dd85838c6460add04f93.dll
-
Size
5.0MB
-
MD5
4ba3d5e67d65dd85838c6460add04f93
-
SHA1
d013ca251d3cb4db30aebb89b5d7a85ebfa4fb5a
-
SHA256
5ccd9a6def2edff6c13c74d075317bf552305dbb889bd2953392171c6d768c7e
-
SHA512
108e6a11873e8e1f0bc97a18d79a8ff0d64a370e8e80be270f20a6cc8796e1acefe46d7ce6cd8ae5aea280f5326d20446098ba9199511514287ccb7ed40680de
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1265) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1928 mssecsvc.exe 888 mssecsvc.exe 1500 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1820 wrote to memory of 880 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 880 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 880 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 880 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 880 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 880 1820 rundll32.exe rundll32.exe PID 1820 wrote to memory of 880 1820 rundll32.exe rundll32.exe PID 880 wrote to memory of 1928 880 rundll32.exe mssecsvc.exe PID 880 wrote to memory of 1928 880 rundll32.exe mssecsvc.exe PID 880 wrote to memory of 1928 880 rundll32.exe mssecsvc.exe PID 880 wrote to memory of 1928 880 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4ba3d5e67d65dd85838c6460add04f93.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4ba3d5e67d65dd85838c6460add04f93.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e904de9132bbba0e436c7cfe6bbdba94
SHA120de8f1ff795463f3e98fd5117be30788c6d2897
SHA256237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1
SHA512cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e904de9132bbba0e436c7cfe6bbdba94
SHA120de8f1ff795463f3e98fd5117be30788c6d2897
SHA256237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1
SHA512cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e904de9132bbba0e436c7cfe6bbdba94
SHA120de8f1ff795463f3e98fd5117be30788c6d2897
SHA256237dd6a108bcba4f76deff22a787a671544018b00d7da63ada70bef8f8bf62d1
SHA512cf5d5ec89457ce1f786d0a0bd33f19f13bb9d76ade74428a0e70b23968adc94bc06aac7e815dbca0325d4c3c63345723057a5e8c27e205e44e74ea11bc3ad1b4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5dd07cd8cea145f94583b3e020a742058
SHA16076eb70733041e0aaa2795e6cbbdf9b1ffcc98a
SHA2560a265ea8d2c7f5ba68c2cea468dd07cff10c8cd8863c0edc0c474d2b974bdc63
SHA512ecaad18e731dfb9c6b06e3e7341c47dafe985db071376b0e6a37a4a86d2893fe099c7f3c94223948700901e87eac19284e07d100afddbe545f21be5b76a980c0
-
memory/880-54-0x0000000000000000-mapping.dmp
-
memory/880-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1928-56-0x0000000000000000-mapping.dmp