Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 00:38
Static task
static1
Behavioral task
behavioral1
Sample
70db09d5c1b353cc72012e222f1125fa.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
70db09d5c1b353cc72012e222f1125fa.dll
Resource
win10v2004-20220718-en
General
-
Target
70db09d5c1b353cc72012e222f1125fa.dll
-
Size
5.0MB
-
MD5
70db09d5c1b353cc72012e222f1125fa
-
SHA1
c4b787d52d8e8edbdd150f9eaa2555a5b9b2af01
-
SHA256
016b40a769d4d34da8cdf3bf08a166c3243b659c31c152d3c0899993a7aa8f07
-
SHA512
674249b9375c124c4fc44781dd88f87d1c7c02c2378b1b464817b56ace78732689b4349c6d5967dae90bddcef7767f4f7a532e1111eeb920ca45f31de4f49abe
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3305) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 3436 mssecsvr.exe 3528 mssecsvr.exe 5044 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4800 wrote to memory of 2296 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 2296 4800 rundll32.exe rundll32.exe PID 4800 wrote to memory of 2296 4800 rundll32.exe rundll32.exe PID 2296 wrote to memory of 3436 2296 rundll32.exe mssecsvr.exe PID 2296 wrote to memory of 3436 2296 rundll32.exe mssecsvr.exe PID 2296 wrote to memory of 3436 2296 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70db09d5c1b353cc72012e222f1125fa.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\70db09d5c1b353cc72012e222f1125fa.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3436 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5044
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
PID:3528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvr.exeFilesize
3.6MB
MD54787fc242f884aaa688b0e2ec3be8b05
SHA1ae8a9a19ff2d5c455d1ae3d8ab9e3a4d2b3217b5
SHA25647ba56ef076b79b7b021d1542ab9fc2c35b14f9a9732db74c7b1cb3fe05bc905
SHA51222aca9b48bd02d3552f57e22ede201118aa9e48c4d5c6a540aa51176e58ba7758d58324d38f96ab1e988c629fb84b794ddcd020224e73783dcd3fdc7e2137c25
-
C:\Windows\mssecsvr.exeFilesize
3.6MB
MD54787fc242f884aaa688b0e2ec3be8b05
SHA1ae8a9a19ff2d5c455d1ae3d8ab9e3a4d2b3217b5
SHA25647ba56ef076b79b7b021d1542ab9fc2c35b14f9a9732db74c7b1cb3fe05bc905
SHA51222aca9b48bd02d3552f57e22ede201118aa9e48c4d5c6a540aa51176e58ba7758d58324d38f96ab1e988c629fb84b794ddcd020224e73783dcd3fdc7e2137c25
-
C:\Windows\mssecsvr.exeFilesize
3.6MB
MD54787fc242f884aaa688b0e2ec3be8b05
SHA1ae8a9a19ff2d5c455d1ae3d8ab9e3a4d2b3217b5
SHA25647ba56ef076b79b7b021d1542ab9fc2c35b14f9a9732db74c7b1cb3fe05bc905
SHA51222aca9b48bd02d3552f57e22ede201118aa9e48c4d5c6a540aa51176e58ba7758d58324d38f96ab1e988c629fb84b794ddcd020224e73783dcd3fdc7e2137c25
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7
-
memory/2296-130-0x0000000000000000-mapping.dmp
-
memory/3436-131-0x0000000000000000-mapping.dmp