Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
08-09-2022 19:35
General
-
Target
526f83cfa2794470c0b323518daf0de0.dll
-
Size
5.0MB
-
MD5
526f83cfa2794470c0b323518daf0de0
-
SHA1
959e822a1d78eb6c48a7cd6f4f979e97b8eb27db
-
SHA256
f04d3056f82bae71b9e809c5c620f4f2d08857a1dbf0866a13269203cef171ac
-
SHA512
b25b06ee50ca1aeb3a45de6a8ac777888532bec41b4266e4766a704ef3d7e0f15e91af832170ed6a1ccd28a491be7d0e35f7aaea1ec09182ed2d03adedfddef4
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhv8P593R8yAVp2H:TDqPe1Cxcxk3ZAEyzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3049) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\526f83cfa2794470c0b323518daf0de0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\526f83cfa2794470c0b323518daf0de0.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5f12b69c504464cc5443eb5ced38b690b
SHA140d08fe240c6dca35bab10eb630397919a9b5a88
SHA25678bbe4a65e13a06df5ae05c158aeec7c0ed7883a62261a25c63673c600047d4c
SHA512be9e2fa92d379baa6cb92dd064ffd1c6c3ce360f75adcbe205aebb2c112d14b88da834d94b21bc2007aecff12d2eb04f378d80eb21be4563093121702ec70c5c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f12b69c504464cc5443eb5ced38b690b
SHA140d08fe240c6dca35bab10eb630397919a9b5a88
SHA25678bbe4a65e13a06df5ae05c158aeec7c0ed7883a62261a25c63673c600047d4c
SHA512be9e2fa92d379baa6cb92dd064ffd1c6c3ce360f75adcbe205aebb2c112d14b88da834d94b21bc2007aecff12d2eb04f378d80eb21be4563093121702ec70c5c
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f12b69c504464cc5443eb5ced38b690b
SHA140d08fe240c6dca35bab10eb630397919a9b5a88
SHA25678bbe4a65e13a06df5ae05c158aeec7c0ed7883a62261a25c63673c600047d4c
SHA512be9e2fa92d379baa6cb92dd064ffd1c6c3ce360f75adcbe205aebb2c112d14b88da834d94b21bc2007aecff12d2eb04f378d80eb21be4563093121702ec70c5c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD571cb28d82d822b74b5dabe0e7d08fb04
SHA1d9eb8751973dfb933c2c481e2205a47970e3f461
SHA2563e4b13d1d3ac51041a7e8301c55f421545265d013fa9b0b6aa1aecf736fff735
SHA51223a196afad2996e7fe6fb3305637fee476fff312f7554aefca3c098922fb3c44d9568a8d49c4d821fb81e95acc75debafd2f37b6208034a4497016afc2bb0210
-
memory/644-132-0x0000000000000000-mapping.dmp
-
memory/2468-133-0x0000000000000000-mapping.dmp