Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
28e2252bcdfe3239f1db3759e80e9ad0.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
28e2252bcdfe3239f1db3759e80e9ad0.dll
Resource
win10v2004-20220414-en
General
-
Target
28e2252bcdfe3239f1db3759e80e9ad0.dll
-
Size
5.0MB
-
MD5
28e2252bcdfe3239f1db3759e80e9ad0
-
SHA1
a24337038589cc514d08fd43beb66fb5d33ea32d
-
SHA256
0b6e9d6b978adda20feed22f0be3a01ad87e5a73aac915a0a8cb8d9837863701
-
SHA512
0aee17fda834f85cf1683869a29a3d0b797df5e817f3a5109cc1472e95601c8400e097506319c5ac51bc35b0d9105c2eca0a26e4c69bdd928b83f6035c583c7b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3089) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 776 mssecsvc.exe 4128 mssecsvc.exe 2176 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2124 wrote to memory of 3804 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 3804 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 3804 2124 rundll32.exe rundll32.exe PID 3804 wrote to memory of 776 3804 rundll32.exe mssecsvc.exe PID 3804 wrote to memory of 776 3804 rundll32.exe mssecsvc.exe PID 3804 wrote to memory of 776 3804 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28e2252bcdfe3239f1db3759e80e9ad0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\28e2252bcdfe3239f1db3759e80e9ad0.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5e95af9f80a0938de263d0bd2a57ad6d6
SHA1b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5
SHA25628499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18
SHA5123126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e95af9f80a0938de263d0bd2a57ad6d6
SHA1b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5
SHA25628499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18
SHA5123126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e95af9f80a0938de263d0bd2a57ad6d6
SHA1b5ff16bfc78dcaf8d15cc0ea720e4da6dd9e52a5
SHA25628499e53fe9dd0788c132612070e35d1a53cd65f98c08d61f5dd5bf05b9a9a18
SHA5123126e5e8aba1a8d1e899dff057f6f121da5379c6c2ff61d17bf4b9a0ed1cf83a514fe5e55387c64caa484abb2ee90544b9031bc12dd2d442d7d7cecbf0cc1c27
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD500bc8d99be794121a7a3a2ad7501994e
SHA13c34dcddde8ff946e28df8ee2f4cb3bede39670f
SHA25665214ab0eb6a0e410048c74e5f99ba3e75a500562a9e804a3096f65f9fa16257
SHA512770ba1db33936f1471d8f331f725853ae1196aa2c589cfeaa107054d97674d485b44c4fd1edd34d4001f4037ade78fdd517fa12353a9982a859b182f23d3d400
-
memory/776-131-0x0000000000000000-mapping.dmp
-
memory/3804-130-0x0000000000000000-mapping.dmp