Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
20/07/2022, 07:44
Static task
static1
Behavioral task
behavioral1
Sample
0457e6241e8c15bf1b4e8de873b38500.dll
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
0457e6241e8c15bf1b4e8de873b38500.dll
Resource
win10v2004-20220414-en
General
-
Target
0457e6241e8c15bf1b4e8de873b38500.dll
-
Size
5.0MB
-
MD5
0457e6241e8c15bf1b4e8de873b38500
-
SHA1
19afc01869c0383169ad411423234d0134a65bc2
-
SHA256
5ebaffbbc54ae2f785146b4bd538365fabd7acff1341923b9a061227d9bcb80a
-
SHA512
ccbb403d07fad82258344a58f07eb845cd5577d24ead732b99e885d379a9c6c0c37aa39eaf019429ed07be71a0097ddc5597d8c018121787166ebb1b9326706b
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3309) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 4648 mssecsvc.exe 1012 mssecsvc.exe 960 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4384 wrote to memory of 3468 4384 rundll32.exe 79 PID 4384 wrote to memory of 3468 4384 rundll32.exe 79 PID 4384 wrote to memory of 3468 4384 rundll32.exe 79 PID 3468 wrote to memory of 4648 3468 rundll32.exe 80 PID 3468 wrote to memory of 4648 3468 rundll32.exe 80 PID 3468 wrote to memory of 4648 3468 rundll32.exe 80
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0457e6241e8c15bf1b4e8de873b38500.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0457e6241e8c15bf1b4e8de873b38500.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4648 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:960
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
PID:1012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58bf0f2642be2c8e663059e879965c735
SHA1edb79c06c9286ff844be12211ac8c6b5da20f157
SHA2560eb87192498cbad24f170c0927db661a4ae334dbb508a0c6a57d80dad36e076e
SHA5129e62795e7b433c090230b6d762b8ecd2c31082a3a7a78f7f2b231a4a908054fede87bf89e6d81bc2d4ca487dc689dd63d2c5ccb8c7ea6a5084071a4a47372244
-
Filesize
3.6MB
MD58bf0f2642be2c8e663059e879965c735
SHA1edb79c06c9286ff844be12211ac8c6b5da20f157
SHA2560eb87192498cbad24f170c0927db661a4ae334dbb508a0c6a57d80dad36e076e
SHA5129e62795e7b433c090230b6d762b8ecd2c31082a3a7a78f7f2b231a4a908054fede87bf89e6d81bc2d4ca487dc689dd63d2c5ccb8c7ea6a5084071a4a47372244
-
Filesize
3.6MB
MD58bf0f2642be2c8e663059e879965c735
SHA1edb79c06c9286ff844be12211ac8c6b5da20f157
SHA2560eb87192498cbad24f170c0927db661a4ae334dbb508a0c6a57d80dad36e076e
SHA5129e62795e7b433c090230b6d762b8ecd2c31082a3a7a78f7f2b231a4a908054fede87bf89e6d81bc2d4ca487dc689dd63d2c5ccb8c7ea6a5084071a4a47372244
-
Filesize
3.4MB
MD5b7fea17cfccdba61b3cfdb3dae0c3f53
SHA14410c22dd484da644c2ecb2bbfee315a02159cf5
SHA2565e57847eef6674b3a9dff6a9b51427c45a42dc45a640047f5613305e531875bf
SHA5127b1da7eeb8612dd1be520939d32fa36ee662a937126d0e1b50017c17c3ca5278a2bbb9b0de38ff8d44993713b6699a4c8557a585353f4659a635d474422a3a40