Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:17
Static task
static1
Behavioral task
behavioral1
Sample
24890a20e1bc62bdc614946c8a761647.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
24890a20e1bc62bdc614946c8a761647.dll
Resource
win10v2004-20220718-en
General
-
Target
24890a20e1bc62bdc614946c8a761647.dll
-
Size
5.0MB
-
MD5
24890a20e1bc62bdc614946c8a761647
-
SHA1
0087d697ef8cbbe166a93ebb78bc367af964b309
-
SHA256
2024554e986424694456a50e8fe058bc9e9de98c98f52b55728a506b9235fc09
-
SHA512
107ea65bbf71bb937906e85e101803fa297c3e945052c0defc6b073f669f31aa29d21d1fd1201aff072277c91f1edf3b04ee12475329c2e45dcd6be26394b6f9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3288) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3436 mssecsvc.exe 4672 mssecsvc.exe 4032 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3044 wrote to memory of 4116 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 4116 3044 rundll32.exe rundll32.exe PID 3044 wrote to memory of 4116 3044 rundll32.exe rundll32.exe PID 4116 wrote to memory of 3436 4116 rundll32.exe mssecsvc.exe PID 4116 wrote to memory of 3436 4116 rundll32.exe mssecsvc.exe PID 4116 wrote to memory of 3436 4116 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24890a20e1bc62bdc614946c8a761647.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\24890a20e1bc62bdc614946c8a761647.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3436 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4032
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:4672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD58cc6e364f21798e30d468ce7b2207bfd
SHA1ea7618c7a0690ac4299c9e68a43f9fe5bf0619ad
SHA256967a7c41ff141fed8f7f6f3d75c852eceebdd74a7b7f762d953bedb479e7ef65
SHA5129b4c913a6db6d4366b69823a43c228e21b29dfbe6d30abbf750c63a4541edd02813a7226695f9e6606121c4008f1d51734c0d8d385a83d6983db2878a84fb4cf
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58cc6e364f21798e30d468ce7b2207bfd
SHA1ea7618c7a0690ac4299c9e68a43f9fe5bf0619ad
SHA256967a7c41ff141fed8f7f6f3d75c852eceebdd74a7b7f762d953bedb479e7ef65
SHA5129b4c913a6db6d4366b69823a43c228e21b29dfbe6d30abbf750c63a4541edd02813a7226695f9e6606121c4008f1d51734c0d8d385a83d6983db2878a84fb4cf
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58cc6e364f21798e30d468ce7b2207bfd
SHA1ea7618c7a0690ac4299c9e68a43f9fe5bf0619ad
SHA256967a7c41ff141fed8f7f6f3d75c852eceebdd74a7b7f762d953bedb479e7ef65
SHA5129b4c913a6db6d4366b69823a43c228e21b29dfbe6d30abbf750c63a4541edd02813a7226695f9e6606121c4008f1d51734c0d8d385a83d6983db2878a84fb4cf
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b31db4319492b5d1e6d037b46ea5485d
SHA17d33315752e2515070ce7ba59bcc72e770884217
SHA256237eea16a01fa6c4811b4fe220595ac695efcea7085971af770226fcc2be44e4
SHA512f6b162123ebdae127e4dcdfffe7d22d06c3303cd0fd2a485ba38e2e40e26d40788193268b4ffcba4f66a906300dab8e8bae61ce10aee955d5c38dfa06a57679a
-
memory/3436-131-0x0000000000000000-mapping.dmp
-
memory/4116-130-0x0000000000000000-mapping.dmp