Behavioral Report

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-09-2022 19:55

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

3df6e06d7f6270903dda0e9e0da7ff6e.dll
Size

5MB
MD5

3df6e06d7f6270903dda0e9e0da7ff6e
SHA1

29dcb3b3b9f9e5f6679ba6fa32531d4d92f567fb
SHA256

51c5225c4bf368296754697e310f1583300b5e85748be40dca5ff5647df4f8dc
SHA512

0cf97a1361b5b73569c4497958091b298c2c29c85ad734078165fbe0cb86c9776bd33463dbd7ecda8d147544d771b1ca6b8751bfc8135cb70eb257f211de3e94
SSDEEP

49152:snjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:M8qPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (1270) amount of remote hosts ⋅ 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

TTPs:

Network Service Scanning
Executes dropped EXE ⋅ 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1908 mssecsvc.exe
2028 mssecsvc.exe
1432 tasksche.exe

pid	process
1908	mssecsvc.exe
2028	mssecsvc.exe
1432	tasksche.exe

Drops file in System32 directory ⋅ 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory ⋅ 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS ⋅ 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory ⋅ 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 288 wrote to memory of 748	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 748	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 748	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 748	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 748	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 748	288	rundll32.exe	rundll32.exe
PID 288 wrote to memory of 748	288	rundll32.exe	rundll32.exe
PID 748 wrote to memory of 1908	748	rundll32.exe	mssecsvc.exe
PID 748 wrote to memory of 1908	748	rundll32.exe	mssecsvc.exe
PID 748 wrote to memory of 1908	748	rundll32.exe	mssecsvc.exe
PID 748 wrote to memory of 1908	748	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3df6e06d7f6270903dda0e9e0da7ff6e.dll,#1

Suspicious use of WriteProcessMemory

PID:288

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3df6e06d7f6270903dda0e9e0da7ff6e.dll,#1

Drops file in Windows directory
Suspicious use of WriteProcessMemory

PID:748

C:\WINDOWS\mssecsvc.exe

C:\WINDOWS\mssecsvc.exe

Executes dropped EXE
Drops file in Windows directory

PID:1908

C:\WINDOWS\tasksche.exe

C:\WINDOWS\tasksche.exe /i

Executes dropped EXE

PID:1432

C:\WINDOWS\mssecsvc.exe

C:\WINDOWS\mssecsvc.exe -m security

Executes dropped EXE
Drops file in System32 directory
Modifies data under HKEY_USERS

PID:2028

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Network Service Scanning

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\mssecsvc.exe
MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\mssecsvc.exe
MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\tasksche.exe
MD5
d2deffafa88eed37f5263b395767fd0b

SHA1
cf96cad2f905f022e59d1345fe211984dae32321

SHA256
71431f1a52800c3b1c0f6e7de9241089e0864d1e059b89504a15c3d2565bde66

SHA512
832d7bf0ba6425e265cf7e203ae4facfce4a19e07353fd69d036c557f1b1561a29dea4abc1fce0032bdd8b6cc97cd3fb7fbe0d2684d8df0edb2fb6b5dfbe4b25

Download Submit
memory/748-54-0x0000000000000000-mapping.dmp

Download
memory/748-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Download
memory/1908-56-0x0000000000000000-mapping.dmp

Download
memory/1908-64-0x0000000000400000-0x0000000000A72000-memory.dmp

Download
memory/2028-63-0x0000000000400000-0x0000000000A72000-memory.dmp

Download
memory/2028-65-0x0000000000400000-0x0000000000A72000-memory.dmp

Download