Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:23
Static task
static1
Behavioral task
behavioral1
Sample
2a3576b7a781ed83ef73954c33b235f9.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2a3576b7a781ed83ef73954c33b235f9.dll
Resource
win10v2004-20220718-en
General
-
Target
2a3576b7a781ed83ef73954c33b235f9.dll
-
Size
5.0MB
-
MD5
2a3576b7a781ed83ef73954c33b235f9
-
SHA1
89da95dd1f288ad96ed5e79907bd7eeb1e5af63f
-
SHA256
c8db12d4e1b926b79ef7857e91b34e909b8024c3eaaab8580e4e1d157eaa726f
-
SHA512
4cdd8839a5efbdff79a6fb44abc7e8f934d6ac50b63838a149e3635ff398bb28424375340c3b756fb1400382680a3a702d00cd38756e0be1815292645ca78db1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3219) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1360 mssecsvc.exe 3640 mssecsvc.exe 2556 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3968 wrote to memory of 2416 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 2416 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 2416 3968 rundll32.exe rundll32.exe PID 2416 wrote to memory of 1360 2416 rundll32.exe mssecsvc.exe PID 2416 wrote to memory of 1360 2416 rundll32.exe mssecsvc.exe PID 2416 wrote to memory of 1360 2416 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3576b7a781ed83ef73954c33b235f9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2a3576b7a781ed83ef73954c33b235f9.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1360 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2556
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD50f9632795175be3e6c78137870eee044
SHA1b8d48e7f0f3410424d42f8f6b706086260731017
SHA256329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba
SHA512a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50f9632795175be3e6c78137870eee044
SHA1b8d48e7f0f3410424d42f8f6b706086260731017
SHA256329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba
SHA512a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50f9632795175be3e6c78137870eee044
SHA1b8d48e7f0f3410424d42f8f6b706086260731017
SHA256329c8f13936f314bfad185043746ef9a4f29e5565a1e6a4b419891613329fcba
SHA512a68797c8e4264059692ac1312e92fc4d3a33953c98a299c375a7b62c2a5bdca7d8a4b13e5f2fe2e40f528be7af53361ac18ee682781985af6780653e741ea5c2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a089e2e733a58751cab58ba261acc543
SHA15dfeb7e02d81bf5eb545c8993e49d48853ab30a9
SHA25606a24b8386dfff1fa844846aafd8d9c5fda5c5687a84a3b53ffaf62d995498e3
SHA512c5d924b45790f4687fddaf5bbb44200fd10d4016cc482cc9abff00f3ef725d6155f95a7934c81178bb5dde82ce8af93a2540cedfda0d7b3d7d90dce242268cb7
-
memory/1360-131-0x0000000000000000-mapping.dmp
-
memory/1360-135-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB
-
memory/1360-138-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB
-
memory/2416-130-0x0000000000000000-mapping.dmp
-
memory/3640-136-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB
-
memory/3640-139-0x0000000000400000-0x0000000000A73000-memory.dmpFilesize
6.4MB