Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 07:34

General

  • Target

    50cbca00cd028986ce1c332c8093cdd9.dll

  • Size

    5.0MB

  • MD5

    50cbca00cd028986ce1c332c8093cdd9

  • SHA1

    80e9c0da857b9ed792a9fae87f56ed3363ffb8b4

  • SHA256

    fecdbea3b7439653a0b422b22bb957577b0f100dc43b13148c20cc282cd4d865

  • SHA512

    b8fab37e2d280f0c518ca9e503c5d6cfd77fee1791c3a2c60365b939114b98099106d4bd98556f5aa7a762a32c0b64b5d3ac88beae81bb02645408bf2d114d56

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3068) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\50cbca00cd028986ce1c332c8093cdd9.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\50cbca00cd028986ce1c332c8093cdd9.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4640
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2132
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4968

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          985ba4ef47df1da29ee4751ccbef41bd

          SHA1

          c3518542cd5328dbfe54cda103d57858965ccd10

          SHA256

          0478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6

          SHA512

          3a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          985ba4ef47df1da29ee4751ccbef41bd

          SHA1

          c3518542cd5328dbfe54cda103d57858965ccd10

          SHA256

          0478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6

          SHA512

          3a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          985ba4ef47df1da29ee4751ccbef41bd

          SHA1

          c3518542cd5328dbfe54cda103d57858965ccd10

          SHA256

          0478b53bae63fdac319a40ff83d46f5bf51736cb36930f30c7ea54ec35b321e6

          SHA512

          3a9c4c9388ccf3221ccdcfd552241df14c52279708aaed65ed40cf59ff46f589d7ae61ea6ac328afabd6d5904415e5e77c170bf08d83f2349642da08ba8c8f7f

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          34162f39d0401884115a772a8619cd45

          SHA1

          0a74ce265b922c0020acee72ddfebb0505e99f7c

          SHA256

          3cb80529bef49f8fcaa87e3b40cdf3c79beeac3cde3d84e7eba25812ccf43842

          SHA512

          16dcbaa0ddc727f264bdfd378db49856b1055ce3e17f1eb7c27d758fdac607394c69f0c92d9bf31f6d39dd78a2f4856c368930be861ef1200309038af1dd6e1b