Analysis
-
max time kernel
154s -
max time network
161s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
12-10-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83.dll
Resource
win10v2004-20220901-en
General
-
Target
b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83.dll
-
Size
5.0MB
-
MD5
5cfb415656b90415c61f63f926687bba
-
SHA1
38f948257e65bce017effb1dd4166b45857a8664
-
SHA256
b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83
-
SHA512
12a7ceecd273801afb49e464b8f9365de6c0f28474bfdb80692b63e5b5a534150e494d518dc0a89b0022b12cb090b55184ea44e04586c828120c8653cd3a32bf
-
SSDEEP
12288:ywbLgPluxQhMbaIMk3CgvggHOTcjys758YJM0Q4sYWs7GRaocwj:JbLgdeQhfdk3Cg4gycjys7xG
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1232) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 888 mssecsvc.exe 572 mssecsvc.exe 268 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1116 wrote to memory of 1692 1116 rundll32.exe rundll32.exe PID 1116 wrote to memory of 1692 1116 rundll32.exe rundll32.exe PID 1116 wrote to memory of 1692 1116 rundll32.exe rundll32.exe PID 1116 wrote to memory of 1692 1116 rundll32.exe rundll32.exe PID 1116 wrote to memory of 1692 1116 rundll32.exe rundll32.exe PID 1116 wrote to memory of 1692 1116 rundll32.exe rundll32.exe PID 1116 wrote to memory of 1692 1116 rundll32.exe rundll32.exe PID 1692 wrote to memory of 888 1692 rundll32.exe mssecsvc.exe PID 1692 wrote to memory of 888 1692 rundll32.exe mssecsvc.exe PID 1692 wrote to memory of 888 1692 rundll32.exe mssecsvc.exe PID 1692 wrote to memory of 888 1692 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b0defd094a19fc6ec21d44f93c37cfce0835cb16826c82624f7b4f352ee89f83.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5304c244de941e6822cd124d7a13e11db
SHA1a81747913ef9bd9079bcb87c97ac79e8050b3529
SHA25626976b3366452c0b547f8c95e0e7253e68f290e9c3fe96be328ec72903cf17cf
SHA512bb71534d28bde826132684d55bf8d9f70ccc90c2b74b354b3abfe2bef0d7b29693702b2d20f2793f3dbb558773e3409f4bfb308b1168266dc039854dbf1aa20c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5304c244de941e6822cd124d7a13e11db
SHA1a81747913ef9bd9079bcb87c97ac79e8050b3529
SHA25626976b3366452c0b547f8c95e0e7253e68f290e9c3fe96be328ec72903cf17cf
SHA512bb71534d28bde826132684d55bf8d9f70ccc90c2b74b354b3abfe2bef0d7b29693702b2d20f2793f3dbb558773e3409f4bfb308b1168266dc039854dbf1aa20c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5304c244de941e6822cd124d7a13e11db
SHA1a81747913ef9bd9079bcb87c97ac79e8050b3529
SHA25626976b3366452c0b547f8c95e0e7253e68f290e9c3fe96be328ec72903cf17cf
SHA512bb71534d28bde826132684d55bf8d9f70ccc90c2b74b354b3abfe2bef0d7b29693702b2d20f2793f3dbb558773e3409f4bfb308b1168266dc039854dbf1aa20c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f02b23daefdd0fca354f7349339d98b8
SHA19df8d46f307540832d3163d834978a3f2cdfd6df
SHA256cf2265768a9db3913740f9b11c47f2382a35e80c1c002c7d36110438042f6298
SHA512ca5611872f0b0941a4874c1f3b22a57c266c7686409065e9569ad3e18ea731769ed3a75652ea9c6b7f5b352f8925bf37b0f7264fac2a4b6c69356819cf8915ce
-
memory/888-56-0x0000000000000000-mapping.dmp
-
memory/1692-54-0x0000000000000000-mapping.dmp
-
memory/1692-55-0x0000000076961000-0x0000000076963000-memory.dmpFilesize
8KB