Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 02:54
Static task
static1
Behavioral task
behavioral1
Sample
d71fc96dcd0ac37af94750945b4a3dd9.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
d71fc96dcd0ac37af94750945b4a3dd9.dll
Resource
win10v2004-20220718-en
General
-
Target
d71fc96dcd0ac37af94750945b4a3dd9.dll
-
Size
5.0MB
-
MD5
d71fc96dcd0ac37af94750945b4a3dd9
-
SHA1
ab2e4824ecdb79267593c4d221202adcf8d5c6a4
-
SHA256
8de495d0f6c9b65bd1e5ef586b1f05864c0fb50485b8d71097c94ee2ca99121a
-
SHA512
5ed0804219d5d65c8ed4fe2e46c03a6f15f5cc2604bdc321acba658242fcdb00702b718bc9da3f88d5e13ebf3f5589cc902f71c7b3947b3f87ab355e0bb07d3d
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1301) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 900 mssecsvc.exe 956 mssecsvc.exe 588 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1848 wrote to memory of 1756 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 1756 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 1756 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 1756 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 1756 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 1756 1848 rundll32.exe rundll32.exe PID 1848 wrote to memory of 1756 1848 rundll32.exe rundll32.exe PID 1756 wrote to memory of 900 1756 rundll32.exe mssecsvc.exe PID 1756 wrote to memory of 900 1756 rundll32.exe mssecsvc.exe PID 1756 wrote to memory of 900 1756 rundll32.exe mssecsvc.exe PID 1756 wrote to memory of 900 1756 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d71fc96dcd0ac37af94750945b4a3dd9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d71fc96dcd0ac37af94750945b4a3dd9.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5c848124eba9515bfb134be8692777608
SHA12806978d37e083b30d583b0cd63f3ab808502b41
SHA256f2616af49773846acc9a3b59cfc8be589724f4e7308ac89f18decb2e40140885
SHA512b6e40ec538e2b2f63b5a92ec16c2d179a84cb2e1b9e3c7b01bb4c72c48b2a0825294f365fd17a301fc1fe42e28c50f7329ef0bffaeb713051d41e94e46a28c1f
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c848124eba9515bfb134be8692777608
SHA12806978d37e083b30d583b0cd63f3ab808502b41
SHA256f2616af49773846acc9a3b59cfc8be589724f4e7308ac89f18decb2e40140885
SHA512b6e40ec538e2b2f63b5a92ec16c2d179a84cb2e1b9e3c7b01bb4c72c48b2a0825294f365fd17a301fc1fe42e28c50f7329ef0bffaeb713051d41e94e46a28c1f
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c848124eba9515bfb134be8692777608
SHA12806978d37e083b30d583b0cd63f3ab808502b41
SHA256f2616af49773846acc9a3b59cfc8be589724f4e7308ac89f18decb2e40140885
SHA512b6e40ec538e2b2f63b5a92ec16c2d179a84cb2e1b9e3c7b01bb4c72c48b2a0825294f365fd17a301fc1fe42e28c50f7329ef0bffaeb713051d41e94e46a28c1f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD58c1273ee16cdc804a0baf74c6ec808a7
SHA1d824bf29c6eb16d12d1393324c52181b5710239e
SHA2565aeb1477f825598a6b4b00603428ba26875c4755f7ecc25c1670da182b54290d
SHA5126cb18d81fc76d6054a75cbf3c8f22d8725c5570d6cd2718186e998cb8b30ebd2974ef616c874ac78b34a8bd673300794c2063e03f552085d3eabb7609f1abba0
-
memory/900-56-0x0000000000000000-mapping.dmp
-
memory/1756-54-0x0000000000000000-mapping.dmp
-
memory/1756-55-0x0000000074F41000-0x0000000074F43000-memory.dmpFilesize
8KB