Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20/07/2022, 07:44
Static task
static1
Behavioral task
behavioral1
Sample
0457e6241e8c15bf1b4e8de873b38500.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
0457e6241e8c15bf1b4e8de873b38500.dll
Resource
win10v2004-20220414-en
General
-
Target
0457e6241e8c15bf1b4e8de873b38500.dll
-
Size
5.0MB
-
MD5
0457e6241e8c15bf1b4e8de873b38500
-
SHA1
19afc01869c0383169ad411423234d0134a65bc2
-
SHA256
5ebaffbbc54ae2f785146b4bd538365fabd7acff1341923b9a061227d9bcb80a
-
SHA512
ccbb403d07fad82258344a58f07eb845cd5577d24ead732b99e885d379a9c6c0c37aa39eaf019429ed07be71a0097ddc5597d8c018121787166ebb1b9326706b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1284) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1424 mssecsvc.exe 1064 mssecsvc.exe 1992 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 308 wrote to memory of 1512 308 rundll32.exe 28 PID 308 wrote to memory of 1512 308 rundll32.exe 28 PID 308 wrote to memory of 1512 308 rundll32.exe 28 PID 308 wrote to memory of 1512 308 rundll32.exe 28 PID 308 wrote to memory of 1512 308 rundll32.exe 28 PID 308 wrote to memory of 1512 308 rundll32.exe 28 PID 308 wrote to memory of 1512 308 rundll32.exe 28 PID 1512 wrote to memory of 1424 1512 rundll32.exe 29 PID 1512 wrote to memory of 1424 1512 rundll32.exe 29 PID 1512 wrote to memory of 1424 1512 rundll32.exe 29 PID 1512 wrote to memory of 1424 1512 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0457e6241e8c15bf1b4e8de873b38500.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0457e6241e8c15bf1b4e8de873b38500.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1424 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1992
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1064
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58bf0f2642be2c8e663059e879965c735
SHA1edb79c06c9286ff844be12211ac8c6b5da20f157
SHA2560eb87192498cbad24f170c0927db661a4ae334dbb508a0c6a57d80dad36e076e
SHA5129e62795e7b433c090230b6d762b8ecd2c31082a3a7a78f7f2b231a4a908054fede87bf89e6d81bc2d4ca487dc689dd63d2c5ccb8c7ea6a5084071a4a47372244
-
Filesize
3.6MB
MD58bf0f2642be2c8e663059e879965c735
SHA1edb79c06c9286ff844be12211ac8c6b5da20f157
SHA2560eb87192498cbad24f170c0927db661a4ae334dbb508a0c6a57d80dad36e076e
SHA5129e62795e7b433c090230b6d762b8ecd2c31082a3a7a78f7f2b231a4a908054fede87bf89e6d81bc2d4ca487dc689dd63d2c5ccb8c7ea6a5084071a4a47372244
-
Filesize
3.6MB
MD58bf0f2642be2c8e663059e879965c735
SHA1edb79c06c9286ff844be12211ac8c6b5da20f157
SHA2560eb87192498cbad24f170c0927db661a4ae334dbb508a0c6a57d80dad36e076e
SHA5129e62795e7b433c090230b6d762b8ecd2c31082a3a7a78f7f2b231a4a908054fede87bf89e6d81bc2d4ca487dc689dd63d2c5ccb8c7ea6a5084071a4a47372244
-
Filesize
3.4MB
MD5b7fea17cfccdba61b3cfdb3dae0c3f53
SHA14410c22dd484da644c2ecb2bbfee315a02159cf5
SHA2565e57847eef6674b3a9dff6a9b51427c45a42dc45a640047f5613305e531875bf
SHA5127b1da7eeb8612dd1be520939d32fa36ee662a937126d0e1b50017c17c3ca5278a2bbb9b0de38ff8d44993713b6699a4c8557a585353f4659a635d474422a3a40