Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 03:07
Static task
static1
Behavioral task
behavioral1
Sample
986b29f805c4036a4b17a2050e67aae6.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
986b29f805c4036a4b17a2050e67aae6.dll
Resource
win10v2004-20220414-en
General
-
Target
986b29f805c4036a4b17a2050e67aae6.dll
-
Size
5.0MB
-
MD5
986b29f805c4036a4b17a2050e67aae6
-
SHA1
9c9118edacd1103c5244dd8cb103e26ff5f4238c
-
SHA256
5cc480c8869b3c6b9e319b6688ba7c7da41c1ca679a2582adccb3d28aded93e4
-
SHA512
450683459e863a881f06d91ad63d4f130a9e43ae9d8c83907a4ccce5239579bba2cc123172c19362736d031b17ed1cea4ba24b7d696cf0f828f05684fdd43e1a
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 892 mssecsvc.exe 2024 mssecsvc.exe 1112 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 668 1112 WerFault.exe tasksche.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exetasksche.exedescription pid process target process PID 1676 wrote to memory of 1812 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1812 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1812 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1812 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1812 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1812 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1812 1676 rundll32.exe rundll32.exe PID 1812 wrote to memory of 892 1812 rundll32.exe mssecsvc.exe PID 1812 wrote to memory of 892 1812 rundll32.exe mssecsvc.exe PID 1812 wrote to memory of 892 1812 rundll32.exe mssecsvc.exe PID 1812 wrote to memory of 892 1812 rundll32.exe mssecsvc.exe PID 892 wrote to memory of 1112 892 mssecsvc.exe tasksche.exe PID 892 wrote to memory of 1112 892 mssecsvc.exe tasksche.exe PID 892 wrote to memory of 1112 892 mssecsvc.exe tasksche.exe PID 892 wrote to memory of 1112 892 mssecsvc.exe tasksche.exe PID 1112 wrote to memory of 668 1112 tasksche.exe WerFault.exe PID 1112 wrote to memory of 668 1112 tasksche.exe WerFault.exe PID 1112 wrote to memory of 668 1112 tasksche.exe WerFault.exe PID 1112 wrote to memory of 668 1112 tasksche.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\986b29f805c4036a4b17a2050e67aae6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\986b29f805c4036a4b17a2050e67aae6.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 365⤵
- Program crash
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD551cfc6fe985916116cd2bbd6aa836044
SHA1db443f2110da8a92435c2478a1cd946f91f162bb
SHA256aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc
SHA5120d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD551cfc6fe985916116cd2bbd6aa836044
SHA1db443f2110da8a92435c2478a1cd946f91f162bb
SHA256aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc
SHA5120d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD551cfc6fe985916116cd2bbd6aa836044
SHA1db443f2110da8a92435c2478a1cd946f91f162bb
SHA256aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc
SHA5120d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57b351fcb4c6a4ccb3d3061936aa553a6
SHA1365a3e54d81b8c19fe781656a4ce7243749ad970
SHA256efa788e33b9f58a86b015da2b0b1651f80e02923e9e9ffc1602aeed4218a5dac
SHA5123d8fa3a451f0a63bb0ce444f5f3ac9420e65e57fd8d50c9477b22ebc58402c747b27c74aef540b4bb0327487d48eef58a77b2ec37d5c52c2224102e4b62c30f8
-
memory/668-64-0x0000000000000000-mapping.dmp
-
memory/892-56-0x0000000000000000-mapping.dmp
-
memory/1112-62-0x0000000000000000-mapping.dmp
-
memory/1812-54-0x0000000000000000-mapping.dmp
-
memory/1812-55-0x00000000764D1000-0x00000000764D3000-memory.dmpFilesize
8KB