Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:36
Static task
static1
Behavioral task
behavioral1
Sample
a6fd638dd3026ca891088f6a84e48b0b.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
a6fd638dd3026ca891088f6a84e48b0b.dll
Resource
win10v2004-20220718-en
General
-
Target
a6fd638dd3026ca891088f6a84e48b0b.dll
-
Size
5.0MB
-
MD5
a6fd638dd3026ca891088f6a84e48b0b
-
SHA1
cc6a4e18782f46078e062520a0d64e4e342f5b5d
-
SHA256
c58541dc0af7599a3529fde1dc32b7e6560856bb127f94410744be63fa4d8277
-
SHA512
b9f3cdffe7cdcecdc7f759394ff5a2fb540ea4a6cdb7a7716c83639d57d135e1a54fb34c9b7baa28a681b2593d84cf726982abb8c1e19a1a196b61bfd58335ce
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3185) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1648 mssecsvc.exe 4684 mssecsvc.exe 4332 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1964 wrote to memory of 1176 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 1176 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 1176 1964 rundll32.exe rundll32.exe PID 1176 wrote to memory of 1648 1176 rundll32.exe mssecsvc.exe PID 1176 wrote to memory of 1648 1176 rundll32.exe mssecsvc.exe PID 1176 wrote to memory of 1648 1176 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6fd638dd3026ca891088f6a84e48b0b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6fd638dd3026ca891088f6a84e48b0b.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1648 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4332
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5fbc2e97a4cdfd34cf02e3929ae123bae
SHA1e5173d8f5b76299a8e2af127a2e274d03154d363
SHA256976f2bfbf05fcfea2dbdb51718efc4ecf564708df708aae4226f6b35dbeaf307
SHA512a29274ac750aa22bddcfa7ae1192df0e1d2b89313eefd5d2f6caa7cae3e14a50f8edbbeea09b5fc4a362a7603a2989cd8c1cd7cfc2b3888d9b443c31908c5441
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fbc2e97a4cdfd34cf02e3929ae123bae
SHA1e5173d8f5b76299a8e2af127a2e274d03154d363
SHA256976f2bfbf05fcfea2dbdb51718efc4ecf564708df708aae4226f6b35dbeaf307
SHA512a29274ac750aa22bddcfa7ae1192df0e1d2b89313eefd5d2f6caa7cae3e14a50f8edbbeea09b5fc4a362a7603a2989cd8c1cd7cfc2b3888d9b443c31908c5441
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fbc2e97a4cdfd34cf02e3929ae123bae
SHA1e5173d8f5b76299a8e2af127a2e274d03154d363
SHA256976f2bfbf05fcfea2dbdb51718efc4ecf564708df708aae4226f6b35dbeaf307
SHA512a29274ac750aa22bddcfa7ae1192df0e1d2b89313eefd5d2f6caa7cae3e14a50f8edbbeea09b5fc4a362a7603a2989cd8c1cd7cfc2b3888d9b443c31908c5441
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD504257531522647f65a7b246539ba5feb
SHA1e56298af5fa2eddae63a95e831f949eeda37d3cf
SHA2564d47a9a89f381a40631a669d0cb2a88cc097c289e71b47cdd4149c976374b9a9
SHA5126eb6bbd6fbd238a00f5b17d39808b5dde5758be6ea5fa99d95ad0adb8428621c939dbe88d7bf18bf82804679b90dd99d95d114ef6d4648d9581d6b417b9dd8d5
-
memory/1176-130-0x0000000000000000-mapping.dmp
-
memory/1648-131-0x0000000000000000-mapping.dmp