Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2022 19:32
Static task
static1
Behavioral task
behavioral1
Sample
a6529e30d3ce0e1dfe2d72984b4fe196.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a6529e30d3ce0e1dfe2d72984b4fe196.dll
Resource
win10v2004-20220812-en
General
-
Target
a6529e30d3ce0e1dfe2d72984b4fe196.dll
-
Size
5.0MB
-
MD5
a6529e30d3ce0e1dfe2d72984b4fe196
-
SHA1
acbee5d6ff1009d1cb4669085f6f9858bca17015
-
SHA256
fcc65fd1ce9236d8bb5d1615209453f178c27afbadd1a4784920e22ca6b67a1d
-
SHA512
5b3ef53ae474bd644249fabbc8b0f5e2ebcc26289747c29612dfa27882fc59a21840c85d5de8e8cccc7c8425bef397a51cf352564c681513cbcfbef4719c50bd
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAhxWa9P593R8yAVp2H:d8qPe1Cxcxk3ZA6adzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2983) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4424 mssecsvc.exe 176 mssecsvc.exe 216 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3444 wrote to memory of 1356 3444 rundll32.exe rundll32.exe PID 3444 wrote to memory of 1356 3444 rundll32.exe rundll32.exe PID 3444 wrote to memory of 1356 3444 rundll32.exe rundll32.exe PID 1356 wrote to memory of 4424 1356 rundll32.exe mssecsvc.exe PID 1356 wrote to memory of 4424 1356 rundll32.exe mssecsvc.exe PID 1356 wrote to memory of 4424 1356 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6529e30d3ce0e1dfe2d72984b4fe196.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6529e30d3ce0e1dfe2d72984b4fe196.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD50e5ccd86d0aded5f6e3ec1aad73d566b
SHA17979d83cdd05a2442fac9cfc2d58ecadf50c0383
SHA2563d6027bff64f5948a54c7b89f51667917e0067bf70c97c1bf98778e2a3588d58
SHA512341c0f0d87a2371664e1a8d8cef499b54ccff6e5c542db618c76fdc238c0587bad78642d33423838ded37896c8018ccaa5d224c99ebdeebf009c2dd43fa104bc
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50e5ccd86d0aded5f6e3ec1aad73d566b
SHA17979d83cdd05a2442fac9cfc2d58ecadf50c0383
SHA2563d6027bff64f5948a54c7b89f51667917e0067bf70c97c1bf98778e2a3588d58
SHA512341c0f0d87a2371664e1a8d8cef499b54ccff6e5c542db618c76fdc238c0587bad78642d33423838ded37896c8018ccaa5d224c99ebdeebf009c2dd43fa104bc
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50e5ccd86d0aded5f6e3ec1aad73d566b
SHA17979d83cdd05a2442fac9cfc2d58ecadf50c0383
SHA2563d6027bff64f5948a54c7b89f51667917e0067bf70c97c1bf98778e2a3588d58
SHA512341c0f0d87a2371664e1a8d8cef499b54ccff6e5c542db618c76fdc238c0587bad78642d33423838ded37896c8018ccaa5d224c99ebdeebf009c2dd43fa104bc
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51aeb661f721395e4f64040e2834b326e
SHA192b750f744da9a89d1796cf9b9c1021f7e35184d
SHA256dd0e4a94f23ca9fd430c9ce9ea97b99f090831ff7f70046dccd2e6f9063ad10b
SHA51208eadf5dfe5a08a5d0826612d9d8a3527973a068c909d0f105fc5d5e63003cb79c5292ecdc22a243bf270edee76467330838a885d24801d6abc07c75bda70f78
-
memory/1356-132-0x0000000000000000-mapping.dmp
-
memory/4424-133-0x0000000000000000-mapping.dmp