Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-08-2022 19:32
Static task
static1
Behavioral task
behavioral1
Sample
a6529e30d3ce0e1dfe2d72984b4fe196.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a6529e30d3ce0e1dfe2d72984b4fe196.dll
Resource
win10v2004-20220812-en
General
-
Target
a6529e30d3ce0e1dfe2d72984b4fe196.dll
-
Size
5.0MB
-
MD5
a6529e30d3ce0e1dfe2d72984b4fe196
-
SHA1
acbee5d6ff1009d1cb4669085f6f9858bca17015
-
SHA256
fcc65fd1ce9236d8bb5d1615209453f178c27afbadd1a4784920e22ca6b67a1d
-
SHA512
5b3ef53ae474bd644249fabbc8b0f5e2ebcc26289747c29612dfa27882fc59a21840c85d5de8e8cccc7c8425bef397a51cf352564c681513cbcfbef4719c50bd
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAhxWa9P593R8yAVp2H:d8qPe1Cxcxk3ZA6adzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1680 mssecsvc.exe 2020 mssecsvc.exe 2004 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1196 wrote to memory of 952 1196 rundll32.exe rundll32.exe PID 1196 wrote to memory of 952 1196 rundll32.exe rundll32.exe PID 1196 wrote to memory of 952 1196 rundll32.exe rundll32.exe PID 1196 wrote to memory of 952 1196 rundll32.exe rundll32.exe PID 1196 wrote to memory of 952 1196 rundll32.exe rundll32.exe PID 1196 wrote to memory of 952 1196 rundll32.exe rundll32.exe PID 1196 wrote to memory of 952 1196 rundll32.exe rundll32.exe PID 952 wrote to memory of 1680 952 rundll32.exe mssecsvc.exe PID 952 wrote to memory of 1680 952 rundll32.exe mssecsvc.exe PID 952 wrote to memory of 1680 952 rundll32.exe mssecsvc.exe PID 952 wrote to memory of 1680 952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6529e30d3ce0e1dfe2d72984b4fe196.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6529e30d3ce0e1dfe2d72984b4fe196.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD50e5ccd86d0aded5f6e3ec1aad73d566b
SHA17979d83cdd05a2442fac9cfc2d58ecadf50c0383
SHA2563d6027bff64f5948a54c7b89f51667917e0067bf70c97c1bf98778e2a3588d58
SHA512341c0f0d87a2371664e1a8d8cef499b54ccff6e5c542db618c76fdc238c0587bad78642d33423838ded37896c8018ccaa5d224c99ebdeebf009c2dd43fa104bc
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50e5ccd86d0aded5f6e3ec1aad73d566b
SHA17979d83cdd05a2442fac9cfc2d58ecadf50c0383
SHA2563d6027bff64f5948a54c7b89f51667917e0067bf70c97c1bf98778e2a3588d58
SHA512341c0f0d87a2371664e1a8d8cef499b54ccff6e5c542db618c76fdc238c0587bad78642d33423838ded37896c8018ccaa5d224c99ebdeebf009c2dd43fa104bc
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50e5ccd86d0aded5f6e3ec1aad73d566b
SHA17979d83cdd05a2442fac9cfc2d58ecadf50c0383
SHA2563d6027bff64f5948a54c7b89f51667917e0067bf70c97c1bf98778e2a3588d58
SHA512341c0f0d87a2371664e1a8d8cef499b54ccff6e5c542db618c76fdc238c0587bad78642d33423838ded37896c8018ccaa5d224c99ebdeebf009c2dd43fa104bc
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51aeb661f721395e4f64040e2834b326e
SHA192b750f744da9a89d1796cf9b9c1021f7e35184d
SHA256dd0e4a94f23ca9fd430c9ce9ea97b99f090831ff7f70046dccd2e6f9063ad10b
SHA51208eadf5dfe5a08a5d0826612d9d8a3527973a068c909d0f105fc5d5e63003cb79c5292ecdc22a243bf270edee76467330838a885d24801d6abc07c75bda70f78
-
memory/952-54-0x0000000000000000-mapping.dmp
-
memory/952-55-0x0000000075631000-0x0000000075633000-memory.dmpFilesize
8KB
-
memory/1680-56-0x0000000000000000-mapping.dmp