Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 03:07
Static task
static1
Behavioral task
behavioral1
Sample
986b29f805c4036a4b17a2050e67aae6.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
986b29f805c4036a4b17a2050e67aae6.dll
Resource
win10v2004-20220414-en
General
-
Target
986b29f805c4036a4b17a2050e67aae6.dll
-
Size
5.0MB
-
MD5
986b29f805c4036a4b17a2050e67aae6
-
SHA1
9c9118edacd1103c5244dd8cb103e26ff5f4238c
-
SHA256
5cc480c8869b3c6b9e319b6688ba7c7da41c1ca679a2582adccb3d28aded93e4
-
SHA512
450683459e863a881f06d91ad63d4f130a9e43ae9d8c83907a4ccce5239579bba2cc123172c19362736d031b17ed1cea4ba24b7d696cf0f828f05684fdd43e1a
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3097) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4620 mssecsvc.exe 4792 mssecsvc.exe 2072 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4648 2072 WerFault.exe tasksche.exe 728 2072 WerFault.exe tasksche.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 3124 wrote to memory of 4836 3124 rundll32.exe rundll32.exe PID 3124 wrote to memory of 4836 3124 rundll32.exe rundll32.exe PID 3124 wrote to memory of 4836 3124 rundll32.exe rundll32.exe PID 4836 wrote to memory of 4620 4836 rundll32.exe mssecsvc.exe PID 4836 wrote to memory of 4620 4836 rundll32.exe mssecsvc.exe PID 4836 wrote to memory of 4620 4836 rundll32.exe mssecsvc.exe PID 4620 wrote to memory of 2072 4620 mssecsvc.exe tasksche.exe PID 4620 wrote to memory of 2072 4620 mssecsvc.exe tasksche.exe PID 4620 wrote to memory of 2072 4620 mssecsvc.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\986b29f805c4036a4b17a2050e67aae6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\986b29f805c4036a4b17a2050e67aae6.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 2205⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 2245⤵
- Program crash
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2072 -ip 20721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2072 -ip 20721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD551cfc6fe985916116cd2bbd6aa836044
SHA1db443f2110da8a92435c2478a1cd946f91f162bb
SHA256aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc
SHA5120d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512
-
C:\WINDOWS\tasksche.exeFilesize
3.4MB
MD57b351fcb4c6a4ccb3d3061936aa553a6
SHA1365a3e54d81b8c19fe781656a4ce7243749ad970
SHA256efa788e33b9f58a86b015da2b0b1651f80e02923e9e9ffc1602aeed4218a5dac
SHA5123d8fa3a451f0a63bb0ce444f5f3ac9420e65e57fd8d50c9477b22ebc58402c747b27c74aef540b4bb0327487d48eef58a77b2ec37d5c52c2224102e4b62c30f8
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD551cfc6fe985916116cd2bbd6aa836044
SHA1db443f2110da8a92435c2478a1cd946f91f162bb
SHA256aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc
SHA5120d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD551cfc6fe985916116cd2bbd6aa836044
SHA1db443f2110da8a92435c2478a1cd946f91f162bb
SHA256aa541eb2ff55cf2049f6249f6ff5662b54b1e45859e9f51bcdaadb612b315acc
SHA5120d9603fc89de7c401a29c9e39e4087e5c0c6bed08888e7726b5bc4cf993319aeaa51d0846c89561e03d5be981190e8e780a96564fb6e9f5d0c2ee43e63efe512
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57b351fcb4c6a4ccb3d3061936aa553a6
SHA1365a3e54d81b8c19fe781656a4ce7243749ad970
SHA256efa788e33b9f58a86b015da2b0b1651f80e02923e9e9ffc1602aeed4218a5dac
SHA5123d8fa3a451f0a63bb0ce444f5f3ac9420e65e57fd8d50c9477b22ebc58402c747b27c74aef540b4bb0327487d48eef58a77b2ec37d5c52c2224102e4b62c30f8
-
memory/2072-135-0x0000000000000000-mapping.dmp
-
memory/4620-131-0x0000000000000000-mapping.dmp
-
memory/4836-130-0x0000000000000000-mapping.dmp