Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:50
Static task
static1
Behavioral task
behavioral1
Sample
2d2daf069b36656688ef15b656ce9fd1.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2d2daf069b36656688ef15b656ce9fd1.dll
Resource
win10v2004-20220718-en
General
-
Target
2d2daf069b36656688ef15b656ce9fd1.dll
-
Size
5.0MB
-
MD5
2d2daf069b36656688ef15b656ce9fd1
-
SHA1
04901d6c4a4d3cde87da7d70d3c32850dfed593c
-
SHA256
b91ed11287b405a98863214b19ba8bee0134715aca985d0fd6cb1765aa8c50e3
-
SHA512
89c64b66d92ddc6c527e62bb599e06039eb96917d997d7aefc0d5df2316dcaa0f22f07ec31ca64a7440cb094ccd9e06d2b9d691146895f4c71f2a074400d9475
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3247) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 952 mssecsvc.exe 2352 mssecsvc.exe 3984 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5116 wrote to memory of 4904 5116 rundll32.exe rundll32.exe PID 5116 wrote to memory of 4904 5116 rundll32.exe rundll32.exe PID 5116 wrote to memory of 4904 5116 rundll32.exe rundll32.exe PID 4904 wrote to memory of 952 4904 rundll32.exe mssecsvc.exe PID 4904 wrote to memory of 952 4904 rundll32.exe mssecsvc.exe PID 4904 wrote to memory of 952 4904 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2d2daf069b36656688ef15b656ce9fd1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2d2daf069b36656688ef15b656ce9fd1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:952 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3984
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:2352
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD52c5d1266a3d54d8777b91e6c85809f9b
SHA19e470ca3ee569637e8a681b2fff468b7a2a025df
SHA2565719cf9060aa193a15f686bc35824f5faeb8c72903ff925359ccfba1b86c39f6
SHA5128bfac7f913109cb8ace120f34de1a2f1f1bacab1204bf497376e84e5d736dbb8447e81f8bc2c32a6f45b11df7ab5a515a0fa78aaa09b1d0ffcb77c2734bffe61
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD52c5d1266a3d54d8777b91e6c85809f9b
SHA19e470ca3ee569637e8a681b2fff468b7a2a025df
SHA2565719cf9060aa193a15f686bc35824f5faeb8c72903ff925359ccfba1b86c39f6
SHA5128bfac7f913109cb8ace120f34de1a2f1f1bacab1204bf497376e84e5d736dbb8447e81f8bc2c32a6f45b11df7ab5a515a0fa78aaa09b1d0ffcb77c2734bffe61
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD52c5d1266a3d54d8777b91e6c85809f9b
SHA19e470ca3ee569637e8a681b2fff468b7a2a025df
SHA2565719cf9060aa193a15f686bc35824f5faeb8c72903ff925359ccfba1b86c39f6
SHA5128bfac7f913109cb8ace120f34de1a2f1f1bacab1204bf497376e84e5d736dbb8447e81f8bc2c32a6f45b11df7ab5a515a0fa78aaa09b1d0ffcb77c2734bffe61
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD578f62ebcadf01c619ca59543567d275c
SHA1ce71a9231cf4599a2a2e2700e6f400b611355a0a
SHA256e23d8a86f64b888c8807f86138e0b067d879d57cd333eab88db81c937be9f08c
SHA512cc0005545b2015125d2d026d1f1d4d4f16ee6042e0caf029b1bc0b466a0b2eb7f1f83c28c2e784e07135f5103b83fd5cff2583f88818cd6bfb5cc1e9719d5065
-
memory/952-131-0x0000000000000000-mapping.dmp
-
memory/4904-130-0x0000000000000000-mapping.dmp