Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-09-2022 19:55
Static task
static1
Behavioral task
behavioral1
Sample
3df6e06d7f6270903dda0e9e0da7ff6e.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3df6e06d7f6270903dda0e9e0da7ff6e.dll
Resource
win10v2004-20220901-en
General
-
Target
3df6e06d7f6270903dda0e9e0da7ff6e.dll
-
Size
5.0MB
-
MD5
3df6e06d7f6270903dda0e9e0da7ff6e
-
SHA1
29dcb3b3b9f9e5f6679ba6fa32531d4d92f567fb
-
SHA256
51c5225c4bf368296754697e310f1583300b5e85748be40dca5ff5647df4f8dc
-
SHA512
0cf97a1361b5b73569c4497958091b298c2c29c85ad734078165fbe0cb86c9776bd33463dbd7ecda8d147544d771b1ca6b8751bfc8135cb70eb257f211de3e94
-
SSDEEP
49152:snjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:M8qPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1908 mssecsvc.exe 2028 mssecsvc.exe 1432 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 288 wrote to memory of 748 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 748 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 748 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 748 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 748 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 748 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 748 288 rundll32.exe rundll32.exe PID 748 wrote to memory of 1908 748 rundll32.exe mssecsvc.exe PID 748 wrote to memory of 1908 748 rundll32.exe mssecsvc.exe PID 748 wrote to memory of 1908 748 rundll32.exe mssecsvc.exe PID 748 wrote to memory of 1908 748 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3df6e06d7f6270903dda0e9e0da7ff6e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3df6e06d7f6270903dda0e9e0da7ff6e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:748 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1908 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1432
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD583b00f6b894ff7bb0f087fb29d940ae0
SHA1b11684cfcb4f81a5997a1e67444f38e4de06a342
SHA256eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7
SHA512c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e
-
Filesize
3.6MB
MD583b00f6b894ff7bb0f087fb29d940ae0
SHA1b11684cfcb4f81a5997a1e67444f38e4de06a342
SHA256eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7
SHA512c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e
-
Filesize
3.6MB
MD583b00f6b894ff7bb0f087fb29d940ae0
SHA1b11684cfcb4f81a5997a1e67444f38e4de06a342
SHA256eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7
SHA512c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e
-
Filesize
3.4MB
MD5d2deffafa88eed37f5263b395767fd0b
SHA1cf96cad2f905f022e59d1345fe211984dae32321
SHA25671431f1a52800c3b1c0f6e7de9241089e0864d1e059b89504a15c3d2565bde66
SHA512832d7bf0ba6425e265cf7e203ae4facfce4a19e07353fd69d036c557f1b1561a29dea4abc1fce0032bdd8b6cc97cd3fb7fbe0d2684d8df0edb2fb6b5dfbe4b25