Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 07:43

General

  • Target

    ec5748f79216b65959301174fbf96957.dll

  • Size

    5.0MB

  • MD5

    ec5748f79216b65959301174fbf96957

  • SHA1

    690f8cecc24108338930a17c70a528292c60be38

  • SHA256

    105e8ccca5c3be8e5bb23b1afbba9720c44d0ec45a2ef85d004c34526464ed0f

  • SHA512

    d571b153abd7216dcf05085d4730e9c9410d4ad6f8015b0d9334e3db00e33bf351f155a880ccf733bc21a2530598ee42a6d76ec81b2f5390bd978431042f48bd

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3228) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5748f79216b65959301174fbf96957.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ec5748f79216b65959301174fbf96957.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3124
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:3596
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4324
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:2100

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          42db6f5ea2fa39f344fe8bcbb70c2446

          SHA1

          a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83

          SHA256

          2b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa

          SHA512

          14c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          42db6f5ea2fa39f344fe8bcbb70c2446

          SHA1

          a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83

          SHA256

          2b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa

          SHA512

          14c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          42db6f5ea2fa39f344fe8bcbb70c2446

          SHA1

          a56bbda5cdae8d02a5f766f10fbf3e23e2d4ec83

          SHA256

          2b950f9148cd1558d3034fe775be313e6600dff8c12dc5c3c309f9979c210eaa

          SHA512

          14c268a98a0d1a46e5af3a6d9eb72ed20f91d32be489895d605237874e006af5d70ec66766bf24cdad17ea0885742c6f02430914048231a9085b7700484973c0

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          1c8b86848417ca00d2c49b4515e6516a

          SHA1

          f5d333f02e227a2fb70536d12f90ca359c8d263d

          SHA256

          2eefc917cef61a212eea8c033f028dda3c791e55791de69c79252d56423982c1

          SHA512

          bc362feaace7bd0fba650c18d2b3b89a1f9f5fdb347e62eb4877e56f7c682be05fd341d79586245b4912df3e26512496e3631255674622f4ae5a9b060f04b749