Analysis

  • max time kernel
    156s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 07:44

General

  • Target

    8c5266b76cb1b59fcc1edbc8d8908d4f.dll

  • Size

    5.0MB

  • MD5

    8c5266b76cb1b59fcc1edbc8d8908d4f

  • SHA1

    904064e4f6194f3b40415e1d65a7a74a4f5c15c1

  • SHA256

    b3ac4447b03488cba38e3aee1b3310cd96d8673f781031aa5b54bf413725e2bd

  • SHA512

    d9a343fe916d4e82f69d5525e238e4bb1878b3115d1248e030ea28d220fe23b68d2cfc31491dbd988bee4667f24967b936bb00376bdd57fc3665163c1263b8ae

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (2912) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c5266b76cb1b59fcc1edbc8d8908d4f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c5266b76cb1b59fcc1edbc8d8908d4f.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4424
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:5056
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:4500
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:968

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          d2afab1f6e4b2f2c072890040ee91a62

          SHA1

          cb37f128b5ecd3bc5d10efc892a3c5886ba3cc55

          SHA256

          17ead2da93d1a5b5333b1755a75c8f3fe45233eb5cd802203b352f60e203309a

          SHA512

          dadadd6604a8b0f53db62fe28974ef6e0cd47b6eb591d5e8504fcfaf192fe848e773c410e4ea88d20a82d23944b65ce57f710423122fade32db02bb9ebbf2049

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          d2afab1f6e4b2f2c072890040ee91a62

          SHA1

          cb37f128b5ecd3bc5d10efc892a3c5886ba3cc55

          SHA256

          17ead2da93d1a5b5333b1755a75c8f3fe45233eb5cd802203b352f60e203309a

          SHA512

          dadadd6604a8b0f53db62fe28974ef6e0cd47b6eb591d5e8504fcfaf192fe848e773c410e4ea88d20a82d23944b65ce57f710423122fade32db02bb9ebbf2049

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          d2afab1f6e4b2f2c072890040ee91a62

          SHA1

          cb37f128b5ecd3bc5d10efc892a3c5886ba3cc55

          SHA256

          17ead2da93d1a5b5333b1755a75c8f3fe45233eb5cd802203b352f60e203309a

          SHA512

          dadadd6604a8b0f53db62fe28974ef6e0cd47b6eb591d5e8504fcfaf192fe848e773c410e4ea88d20a82d23944b65ce57f710423122fade32db02bb9ebbf2049

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          a0c080b6b04064caddb90715a9115320

          SHA1

          ab23cc42cf8f8b316d8fbb5b102ce7594a3d02cd

          SHA256

          3eef39feef918a8ee0949af01c667fc94bf38f5b081b8d77fdbfa18f81e5e132

          SHA512

          30868ecd8bf36cc2883508834f987f7339974e1429c640ec984ab9ae9a67f3085a5c8162f60fa5522eb9b18ab948fd4b99872dce813db33494d196f0d4ac8a91