Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:13
Static task
static1
Behavioral task
behavioral1
Sample
bbe2afa97b110302be0e9e52be6d6f64.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
bbe2afa97b110302be0e9e52be6d6f64.dll
Resource
win10v2004-20220718-en
General
-
Target
bbe2afa97b110302be0e9e52be6d6f64.dll
-
Size
5.0MB
-
MD5
bbe2afa97b110302be0e9e52be6d6f64
-
SHA1
e46ddb727ba325e31940cccb1b36d385aed7a716
-
SHA256
178fe955a6c0412daaf5a36485281a168ab40df284b451dad6c84043a6a5c0d6
-
SHA512
c42ad5ed9e8a61ef54c23be342101bf443cd155a5975ada6f253254491efad9d630664fc932ae9e6d5f86c58011998931076003b0ad50d6eb5ccd0944ad9fa83
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4660 mssecsvc.exe 2196 mssecsvc.exe 1116 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 620 wrote to memory of 2336 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 2336 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 2336 620 rundll32.exe rundll32.exe PID 2336 wrote to memory of 4660 2336 rundll32.exe mssecsvc.exe PID 2336 wrote to memory of 4660 2336 rundll32.exe mssecsvc.exe PID 2336 wrote to memory of 4660 2336 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbe2afa97b110302be0e9e52be6d6f64.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bbe2afa97b110302be0e9e52be6d6f64.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5ee521250e09469441951e0525349070b
SHA130c0f52ced45273a2eb4c425aa2537f2cf0434c2
SHA256273685e728bd39d0597f32579dc98262dee0811dbf3cc69e109face6f898e1f3
SHA512b8dab73a2a6b6977138b2c78cbcab54c87d63b6eb80bd20cbf46df36611099bd11018d863c541aa8e2f50a4935f1dcc374dd765dc9b8e72b2d4d23ba9dc64c42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ee521250e09469441951e0525349070b
SHA130c0f52ced45273a2eb4c425aa2537f2cf0434c2
SHA256273685e728bd39d0597f32579dc98262dee0811dbf3cc69e109face6f898e1f3
SHA512b8dab73a2a6b6977138b2c78cbcab54c87d63b6eb80bd20cbf46df36611099bd11018d863c541aa8e2f50a4935f1dcc374dd765dc9b8e72b2d4d23ba9dc64c42
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ee521250e09469441951e0525349070b
SHA130c0f52ced45273a2eb4c425aa2537f2cf0434c2
SHA256273685e728bd39d0597f32579dc98262dee0811dbf3cc69e109face6f898e1f3
SHA512b8dab73a2a6b6977138b2c78cbcab54c87d63b6eb80bd20cbf46df36611099bd11018d863c541aa8e2f50a4935f1dcc374dd765dc9b8e72b2d4d23ba9dc64c42
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f75ccfcc8fde211afcd7c0fbb87d3b74
SHA123b4793ab44814c53cc0f86e10978b1ac09236c4
SHA2560e789b3bd7a770c0c77c354bd5b848cffaf38f1ffde622cb5b47cda14c59b2a2
SHA51243c81a0bbbcf54eb84c11f4ba886a3e118e02570995ab6861d3e7a4784e88dca783f5c3a80d8be97c47a442c244ad1f557d5fcd637f2347acfd0a7c1e6c4c3b3
-
memory/2336-130-0x0000000000000000-mapping.dmp
-
memory/4660-131-0x0000000000000000-mapping.dmp