Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 03:10
Static task
static1
Behavioral task
behavioral1
Sample
6e7614af4ddfa286ca963c3f4c039c2a.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
6e7614af4ddfa286ca963c3f4c039c2a.dll
Resource
win10v2004-20220718-en
General
-
Target
6e7614af4ddfa286ca963c3f4c039c2a.dll
-
Size
5.0MB
-
MD5
6e7614af4ddfa286ca963c3f4c039c2a
-
SHA1
4086d509392b10e43af87a782e5d96acc5cfff9f
-
SHA256
552249b242e9857e66ca1c2b55e55ecaa354017e1f1fcd2c7ba60388eba99ac5
-
SHA512
ebc8fb369c6fc33a20520b493c1e0ca03ba2b9c1f8d398e6f576424fb1028c66f7cebadd22fe67e750e9d44041ae9133e42188b88c479dafca5f1f693c6abc97
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1544 mssecsvc.exe 1740 mssecsvc.exe 1188 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 972 wrote to memory of 1120 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 1120 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 1120 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 1120 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 1120 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 1120 972 rundll32.exe rundll32.exe PID 972 wrote to memory of 1120 972 rundll32.exe rundll32.exe PID 1120 wrote to memory of 1544 1120 rundll32.exe mssecsvc.exe PID 1120 wrote to memory of 1544 1120 rundll32.exe mssecsvc.exe PID 1120 wrote to memory of 1544 1120 rundll32.exe mssecsvc.exe PID 1120 wrote to memory of 1544 1120 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e7614af4ddfa286ca963c3f4c039c2a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6e7614af4ddfa286ca963c3f4c039c2a.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD539d9ed013d95e7770eb68278ac88a89e
SHA13eb2c5c36416802fc8bcc6270a009b09ddb1d9f1
SHA25651f832a706474f358dd223b3b95108cbf86c2f9ecdbfa340b838a39f461342f5
SHA512cc9977149c06d2e689b8050ad0dce65dacfc11f4e99bc64f1d6d6cc868f55a9e5ffbbfabf8563ee1cad31932f58621061efe009a3406400a68ae9f184f6cddcb
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD539d9ed013d95e7770eb68278ac88a89e
SHA13eb2c5c36416802fc8bcc6270a009b09ddb1d9f1
SHA25651f832a706474f358dd223b3b95108cbf86c2f9ecdbfa340b838a39f461342f5
SHA512cc9977149c06d2e689b8050ad0dce65dacfc11f4e99bc64f1d6d6cc868f55a9e5ffbbfabf8563ee1cad31932f58621061efe009a3406400a68ae9f184f6cddcb
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD539d9ed013d95e7770eb68278ac88a89e
SHA13eb2c5c36416802fc8bcc6270a009b09ddb1d9f1
SHA25651f832a706474f358dd223b3b95108cbf86c2f9ecdbfa340b838a39f461342f5
SHA512cc9977149c06d2e689b8050ad0dce65dacfc11f4e99bc64f1d6d6cc868f55a9e5ffbbfabf8563ee1cad31932f58621061efe009a3406400a68ae9f184f6cddcb
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59e628932a5b0516e3e1dc12293d16ab4
SHA196d7ffbb31d9d2737625def93f78b12f56a34c24
SHA25697feb4ff0e816da9b868f7972cfe53ebe64c8d12e8a2faa8e51528b9ddd1d329
SHA512ee11a17f4fbbf035dd82e11a6604a82f5c3f2f6c8b4a64c1bd2b38f5876778ceca0a6cf83ea9fe245164f2b00161874274f926461b90b045be152896ffb60811
-
memory/1120-54-0x0000000000000000-mapping.dmp
-
memory/1120-55-0x0000000075CE1000-0x0000000075CE3000-memory.dmpFilesize
8KB
-
memory/1544-56-0x0000000000000000-mapping.dmp