Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
3797c9c2f8a09b948b72ae0267496e93.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
3797c9c2f8a09b948b72ae0267496e93.dll
Resource
win10v2004-20220414-en
General
-
Target
3797c9c2f8a09b948b72ae0267496e93.dll
-
Size
5.0MB
-
MD5
3797c9c2f8a09b948b72ae0267496e93
-
SHA1
31becf765d42b6392738268dd2306b65e65c7ba1
-
SHA256
84ac0e73d6980f73c61d410013af7fd3615ab730df2168b48a3323ae98c173d3
-
SHA512
9629ce17170e29250ee9bd969264c49407dea271cf68228706b97f1b701b29d76b41637e42f5e938c935bdf33b4ae1c3067b2bcbb090f91f2eff1c43ce10079b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3298) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1876 mssecsvc.exe 1688 mssecsvc.exe 4412 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4116 wrote to memory of 4168 4116 rundll32.exe rundll32.exe PID 4116 wrote to memory of 4168 4116 rundll32.exe rundll32.exe PID 4116 wrote to memory of 4168 4116 rundll32.exe rundll32.exe PID 4168 wrote to memory of 1876 4168 rundll32.exe mssecsvc.exe PID 4168 wrote to memory of 1876 4168 rundll32.exe mssecsvc.exe PID 4168 wrote to memory of 1876 4168 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3797c9c2f8a09b948b72ae0267496e93.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3797c9c2f8a09b948b72ae0267496e93.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1876 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4412
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:1688
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD57582a999f122d2e63122bad5040b8f5b
SHA146e377b43cce1328be1ffa3cb5c92336c90e1bbc
SHA256f196e67bab40d917830bbffb3347826c23305d97b2b1311160923a4803e7074a
SHA5126fd93b69b5d2a0d39f8858f303aad7afd2445d66bb5716e0b9195c53964d68195e508bfc5047ab528aac8b54ac8c96cec6f6f23c86344af827931db9436524fa
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57582a999f122d2e63122bad5040b8f5b
SHA146e377b43cce1328be1ffa3cb5c92336c90e1bbc
SHA256f196e67bab40d917830bbffb3347826c23305d97b2b1311160923a4803e7074a
SHA5126fd93b69b5d2a0d39f8858f303aad7afd2445d66bb5716e0b9195c53964d68195e508bfc5047ab528aac8b54ac8c96cec6f6f23c86344af827931db9436524fa
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57582a999f122d2e63122bad5040b8f5b
SHA146e377b43cce1328be1ffa3cb5c92336c90e1bbc
SHA256f196e67bab40d917830bbffb3347826c23305d97b2b1311160923a4803e7074a
SHA5126fd93b69b5d2a0d39f8858f303aad7afd2445d66bb5716e0b9195c53964d68195e508bfc5047ab528aac8b54ac8c96cec6f6f23c86344af827931db9436524fa
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56637b0761727686d36acfca7337f2c9c
SHA16c3e0d9b765f666fba867d7c4c253c29216e5e01
SHA2567052c1b6734eeb8dd715c1ee9148e6b32c805f0ddbce2fd4423e39c92d6870d6
SHA5128a51e4cbd8f985716b00851b0d8306fa2b7079a5f42ad611f89b817841000fb0795120840461a4c3f32485f4a59258a412caa3111acd9bf17814bc67b6b9cfa4
-
memory/1876-131-0x0000000000000000-mapping.dmp
-
memory/4168-130-0x0000000000000000-mapping.dmp