Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:12
Static task
static1
Behavioral task
behavioral1
Sample
42e738ed97f87cd7a1da297a81fca30e.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
42e738ed97f87cd7a1da297a81fca30e.dll
Resource
win10v2004-20220718-en
General
-
Target
42e738ed97f87cd7a1da297a81fca30e.dll
-
Size
5.0MB
-
MD5
42e738ed97f87cd7a1da297a81fca30e
-
SHA1
c7f969152a9d332bcccebf82afb38a5a3a66a7cb
-
SHA256
4ffce411f462670df9a7d95579bbf1fab89df79e1548bfc21f974ee1721b0432
-
SHA512
346be9dd8018067aa34d64521a7a6cee72e0436c30422ece384f177de4266a86508422d04e0b0a9126b3907a596871a588c355c43247639079aa64c9e2f29d0b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3329) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 896 mssecsvc.exe 3908 mssecsvc.exe 4044 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3112 wrote to memory of 3768 3112 rundll32.exe rundll32.exe PID 3112 wrote to memory of 3768 3112 rundll32.exe rundll32.exe PID 3112 wrote to memory of 3768 3112 rundll32.exe rundll32.exe PID 3768 wrote to memory of 896 3768 rundll32.exe mssecsvc.exe PID 3768 wrote to memory of 896 3768 rundll32.exe mssecsvc.exe PID 3768 wrote to memory of 896 3768 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42e738ed97f87cd7a1da297a81fca30e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\42e738ed97f87cd7a1da297a81fca30e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:896 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4044
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:3908
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD55e1ea63e17fe3ba96369958edcf18dda
SHA137b98029f687a63caf28482456d6090cd4ac1dff
SHA25664ce85fc6096610b695c207271cc11ea1cff1c945ce2097e2e5dadb7c2fd4da4
SHA5129423bb7869464b05150f08cde0cede9ece15ee818d536c32643aeadc058857dcc9da2a90ff042eb18df287be4b9d5a2ea089bcd1812d196d9c2d5b11c4acfee8
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55e1ea63e17fe3ba96369958edcf18dda
SHA137b98029f687a63caf28482456d6090cd4ac1dff
SHA25664ce85fc6096610b695c207271cc11ea1cff1c945ce2097e2e5dadb7c2fd4da4
SHA5129423bb7869464b05150f08cde0cede9ece15ee818d536c32643aeadc058857dcc9da2a90ff042eb18df287be4b9d5a2ea089bcd1812d196d9c2d5b11c4acfee8
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55e1ea63e17fe3ba96369958edcf18dda
SHA137b98029f687a63caf28482456d6090cd4ac1dff
SHA25664ce85fc6096610b695c207271cc11ea1cff1c945ce2097e2e5dadb7c2fd4da4
SHA5129423bb7869464b05150f08cde0cede9ece15ee818d536c32643aeadc058857dcc9da2a90ff042eb18df287be4b9d5a2ea089bcd1812d196d9c2d5b11c4acfee8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7
-
memory/896-131-0x0000000000000000-mapping.dmp
-
memory/896-136-0x0000000000400000-0x0000000000A72000-memory.dmpFilesize
6.4MB
-
memory/896-138-0x0000000000400000-0x0000000000A72000-memory.dmpFilesize
6.4MB
-
memory/3768-130-0x0000000000000000-mapping.dmp
-
memory/3908-137-0x0000000000400000-0x0000000000A72000-memory.dmpFilesize
6.4MB
-
memory/3908-139-0x0000000000400000-0x0000000000A72000-memory.dmpFilesize
6.4MB