Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:38
Static task
static1
Behavioral task
behavioral1
Sample
9135308a54128612137748dd6fc8689e.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
9135308a54128612137748dd6fc8689e.dll
Resource
win10v2004-20220718-en
General
-
Target
9135308a54128612137748dd6fc8689e.dll
-
Size
5.0MB
-
MD5
9135308a54128612137748dd6fc8689e
-
SHA1
0557a164db5b41ba2925a37ada6896b6b361090a
-
SHA256
374aa67752f851ee4bfd9b98b610cf7ee2e47d8d036fd0331a198c5d0e9238ea
-
SHA512
d40c0dbd09f35f4ed62a7b95576b7647b8ddadf5304115b1fe74ad4688f89de64c93731ce029b61d181798ee2deff0cdc2d5bea33aded1bd796510f9534d8cbc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3235) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1124 mssecsvc.exe 2172 mssecsvc.exe 2480 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1184 wrote to memory of 3976 1184 rundll32.exe 77 PID 1184 wrote to memory of 3976 1184 rundll32.exe 77 PID 1184 wrote to memory of 3976 1184 rundll32.exe 77 PID 3976 wrote to memory of 1124 3976 rundll32.exe 78 PID 3976 wrote to memory of 1124 3976 rundll32.exe 78 PID 3976 wrote to memory of 1124 3976 rundll32.exe 78
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9135308a54128612137748dd6fc8689e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9135308a54128612137748dd6fc8689e.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1124 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2480
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:2172
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b43a5385224265da3f585765f650e4a5
SHA1513f04bed52b477d18a8d47f20ea3df4935bbc7f
SHA25621fd068f15af2d4fd2981e0846d0a8f33ebd98516cf8d939e392d7faec542e7a
SHA512da6a68f2397adf427cd2b755f88c251c3bca688498feda2c2d9aa53f17752ad3ecd7e6d9b2eaa3f988a18397819171f58e18872795d00b2a86eac4762d14d343
-
Filesize
3.6MB
MD5b43a5385224265da3f585765f650e4a5
SHA1513f04bed52b477d18a8d47f20ea3df4935bbc7f
SHA25621fd068f15af2d4fd2981e0846d0a8f33ebd98516cf8d939e392d7faec542e7a
SHA512da6a68f2397adf427cd2b755f88c251c3bca688498feda2c2d9aa53f17752ad3ecd7e6d9b2eaa3f988a18397819171f58e18872795d00b2a86eac4762d14d343
-
Filesize
3.6MB
MD5b43a5385224265da3f585765f650e4a5
SHA1513f04bed52b477d18a8d47f20ea3df4935bbc7f
SHA25621fd068f15af2d4fd2981e0846d0a8f33ebd98516cf8d939e392d7faec542e7a
SHA512da6a68f2397adf427cd2b755f88c251c3bca688498feda2c2d9aa53f17752ad3ecd7e6d9b2eaa3f988a18397819171f58e18872795d00b2a86eac4762d14d343
-
Filesize
3.4MB
MD5a318a9762a9d4b311922149f66189890
SHA1ffd28d34af54652bf287dcf5f2d888c910589d38
SHA256739e22ec12d7510fa24c3a26ede3505177156499546c2ed642b80d4f54b21822
SHA5126c41fd78c336845546eca1a1f773f77978ea7bbd1a40947cb386161014658da5ccef78c904a1f4089fdc35a86a1e2176c57ac8560b92b6b4ece67d62ae717d14