Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-07-2022 19:04
General
-
Target
4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2.dll
-
Size
5.0MB
-
MD5
3193ed2ff9928faf1ce5979ff9445359
-
SHA1
cb133ba5940c887b6f326f548c9c35ff30b4598d
-
SHA256
4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2
-
SHA512
c67f4e5349c8d85deeb219bfd93a75609f23cbd117417f6cc02435a348d8b8c057d043d3d2ceb8cce5742f2a6beeab419d4a03a4194a78059fbaa8599e7da487
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
suricata: ET MALWARE Known Sinkhole Response Kryptos Logic
-
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
-
Contacts a large (3266) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4a82d196da45ff09474f521af44f731343e426829e90415c7c65f57c7ecfdba2.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5a50e6c13250b703735e6fe3cd6108471
SHA1ba08a450d2e3deea3507fe628e7c0eed61f513c8
SHA25653754080355bdd6e8e6e0a2c0fd4e338e9cebc1b14639e12f91803ff26796a3b
SHA512e6c74ac90b7fc32e523a1e1d09762ce3aeb5dd43c421299e7fe596562032c2bfbd8135ad6609c44d7878447a82b5bd0842133ede209b93ac6c6fc0495929bb99
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a50e6c13250b703735e6fe3cd6108471
SHA1ba08a450d2e3deea3507fe628e7c0eed61f513c8
SHA25653754080355bdd6e8e6e0a2c0fd4e338e9cebc1b14639e12f91803ff26796a3b
SHA512e6c74ac90b7fc32e523a1e1d09762ce3aeb5dd43c421299e7fe596562032c2bfbd8135ad6609c44d7878447a82b5bd0842133ede209b93ac6c6fc0495929bb99
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a50e6c13250b703735e6fe3cd6108471
SHA1ba08a450d2e3deea3507fe628e7c0eed61f513c8
SHA25653754080355bdd6e8e6e0a2c0fd4e338e9cebc1b14639e12f91803ff26796a3b
SHA512e6c74ac90b7fc32e523a1e1d09762ce3aeb5dd43c421299e7fe596562032c2bfbd8135ad6609c44d7878447a82b5bd0842133ede209b93ac6c6fc0495929bb99
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7
-
memory/1364-131-0x0000000000000000-mapping.dmp
-
memory/2064-130-0x0000000000000000-mapping.dmp