Analysis
-
max time kernel
159s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 22:25
Static task
static1
Behavioral task
behavioral1
Sample
37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll
Resource
win10v2004-20220414-en
General
-
Target
37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll
-
Size
5.0MB
-
MD5
0e6c5008129bb859f0a760e1167f4097
-
SHA1
f8bea1b72244172d15da1a4ee05d013db287abc4
-
SHA256
37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31
-
SHA512
40fa30544386a46297ebeaea229e52fb459135314df7b0119bc3275ee2b6d03aed6a183da343652d335edd168b414c17a34ab807971e4c8ad450e6b0bbb1e4b1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2722) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1532 mssecsvc.exe 5116 mssecsvc.exe 4804 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2208 4804 WerFault.exe tasksche.exe 1536 4804 WerFault.exe tasksche.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 3948 wrote to memory of 1016 3948 rundll32.exe rundll32.exe PID 3948 wrote to memory of 1016 3948 rundll32.exe rundll32.exe PID 3948 wrote to memory of 1016 3948 rundll32.exe rundll32.exe PID 1016 wrote to memory of 1532 1016 rundll32.exe mssecsvc.exe PID 1016 wrote to memory of 1532 1016 rundll32.exe mssecsvc.exe PID 1016 wrote to memory of 1532 1016 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 4804 1532 mssecsvc.exe tasksche.exe PID 1532 wrote to memory of 4804 1532 mssecsvc.exe tasksche.exe PID 1532 wrote to memory of 4804 1532 mssecsvc.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37b5543ffedb77305379e07c4e17b637e52e6cfc26669357e15fa8388a051e31.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2645⤵
- Program crash
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4804 -ip 48041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4804 -ip 48041⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD59057900258d9cdd64a479b2d72b0877d
SHA17b161c722039f8456f9cd8b31c674b39fd63d589
SHA2569cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87
SHA51293d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398
-
C:\WINDOWS\tasksche.exeFilesize
3.4MB
MD5f5f27da84f5bdd5410d442e126eb0b51
SHA106ec74139d4857c8cf2ff5f943033a022fc2f6fa
SHA256ce55e8f2041f0dee35769c1b8b70ac077b86df17a0a593cc9dd3cc8c0ffc0b40
SHA51286d1e2bef7f1e2dd35ad8a646e8ca91644f015c7688c4452434e7359ecc3826d46d70b859d16b3c3755fa58ffaac9c1107d47a4abd527b96592b9c05f278a9fd
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59057900258d9cdd64a479b2d72b0877d
SHA17b161c722039f8456f9cd8b31c674b39fd63d589
SHA2569cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87
SHA51293d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59057900258d9cdd64a479b2d72b0877d
SHA17b161c722039f8456f9cd8b31c674b39fd63d589
SHA2569cbfe3942d5192a779c6ac9718922d4d0cec10297d68f377b791f554e3cd2a87
SHA51293d65a5c1897b2512364257e2ed5c1951659413346a52ce2551607cfb732f83f256effa6fa0278cda098ec4fe9d801519c446384e3bcc5517863d8db65414398
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f5f27da84f5bdd5410d442e126eb0b51
SHA106ec74139d4857c8cf2ff5f943033a022fc2f6fa
SHA256ce55e8f2041f0dee35769c1b8b70ac077b86df17a0a593cc9dd3cc8c0ffc0b40
SHA51286d1e2bef7f1e2dd35ad8a646e8ca91644f015c7688c4452434e7359ecc3826d46d70b859d16b3c3755fa58ffaac9c1107d47a4abd527b96592b9c05f278a9fd
-
memory/1016-130-0x0000000000000000-mapping.dmp
-
memory/1532-131-0x0000000000000000-mapping.dmp
-
memory/4804-135-0x0000000000000000-mapping.dmp