Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 07:45

General

  • Target

    aa6c3af589f56e44fa4f00cc5ee60169.dll

  • Size

    5.0MB

  • MD5

    aa6c3af589f56e44fa4f00cc5ee60169

  • SHA1

    80708025c3a71d2607dfa670e3de4f158351194e

  • SHA256

    65d88350e1e0577f647a1d0e91dd4baf6e5ce42d3845d5e5cdbee03f6a1d9d50

  • SHA512

    836fe58ab81d3c22ec00ac73e20a45e839a705c912faaf24511cb2fc54f848466e584fa674fb9cc8b6be7f8d442f4ca1a9f30d8245dd486c8e1c4e266c2e08a7

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3277) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa6c3af589f56e44fa4f00cc5ee60169.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\aa6c3af589f56e44fa4f00cc5ee60169.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1112
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3168
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:3028

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          550fbbe39f6bb8cc978e37112d7760da

          SHA1

          a04f21a2aa3270944e91d446707be1344cdee667

          SHA256

          d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656

          SHA512

          456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          550fbbe39f6bb8cc978e37112d7760da

          SHA1

          a04f21a2aa3270944e91d446707be1344cdee667

          SHA256

          d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656

          SHA512

          456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          550fbbe39f6bb8cc978e37112d7760da

          SHA1

          a04f21a2aa3270944e91d446707be1344cdee667

          SHA256

          d29233288fed7ec3006b75fbab5c4259ba1bdfd89d3fad00fb26dc41fa9bd656

          SHA512

          456223a4c31bb1f99409b439c74b2656f3890aa4c4646b57007457300f8cf665628aaa31edde881d3d7f41846dfb5e20dddaa58534f8eea95713fe8f82c28103

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          1fa7f9b832ae1d065695f71a8c7714b0

          SHA1

          274aa1fe26b8668adfb5bfff31917aeff93c12b0

          SHA256

          3f3b01ae8849baf9c28b373ab7bcdc369f8dbc376d6e07ec1918ea2c37871dcf

          SHA512

          3e1e3aa556624ef5886c34766e36fea6010c4a3d1db4df3fe859bb82ced94384473ce499a6598f593650b8f5a305708249a917513d3564b243481371c7d8850c