Behavioral Report

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2022 19:55

Sharing

Copy URL

Twitter E-mail

Report Files Registry Network Processes Mutex Misc

General

Target

3df6e06d7f6270903dda0e9e0da7ff6e.dll
Size

5MB
MD5

3df6e06d7f6270903dda0e9e0da7ff6e
SHA1

29dcb3b3b9f9e5f6679ba6fa32531d4d92f567fb
SHA256

51c5225c4bf368296754697e310f1583300b5e85748be40dca5ff5647df4f8dc
SHA512

0cf97a1361b5b73569c4497958091b298c2c29c85ad734078165fbe0cb86c9776bd33463dbd7ecda8d147544d771b1ca6b8751bfc8135cb70eb257f211de3e94
SSDEEP

49152:snjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:M8qPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3301) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

TTPs:

Network Service Scanning
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2184 mssecsvc.exe
2108 mssecsvc.exe
4092 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

TTPs:

Network Service Scanning
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2184	mssecsvc.exe
2108	mssecsvc.exe
4092	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 4952 wrote to memory of 1368	4952	rundll32.exe	rundll32.exe
PID 4952 wrote to memory of 1368	4952	rundll32.exe	rundll32.exe
PID 4952 wrote to memory of 1368	4952	rundll32.exe	rundll32.exe
PID 1368 wrote to memory of 2184	1368	rundll32.exe	mssecsvc.exe
PID 1368 wrote to memory of 2184	1368	rundll32.exe	mssecsvc.exe
PID 1368 wrote to memory of 2184	1368	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3df6e06d7f6270903dda0e9e0da7ff6e.dll,#1

Suspicious use of WriteProcessMemory

PID:4952

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3df6e06d7f6270903dda0e9e0da7ff6e.dll,#1

Drops file in Windows directory
Suspicious use of WriteProcessMemory

PID:1368

C:\WINDOWS\mssecsvc.exe

C:\WINDOWS\mssecsvc.exe

Executes dropped EXE
Drops file in Windows directory

PID:2184

C:\WINDOWS\tasksche.exe

C:\WINDOWS\tasksche.exe /i

Executes dropped EXE

PID:4092

C:\WINDOWS\mssecsvc.exe

C:\WINDOWS\mssecsvc.exe -m security

Executes dropped EXE

PID:2108

Network

MITRE ATT&CK Matrix

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Network Service Scanning

T1046

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Replay Monitor

00:00 00:00

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3MB

MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3MB

MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3MB

MD5
83b00f6b894ff7bb0f087fb29d940ae0

SHA1
b11684cfcb4f81a5997a1e67444f38e4de06a342

SHA256
eca5e284a55c0b83ce4ae7eccbd54632775ab02ed34c8456459612721ddba9d7

SHA512
c319e4eb06b67eda1bc06c8c5e0146d8b8866b04180e37ae72e7642befc0cc0cd641297e990fa1657fc7d26a55c78ce5325deb2cd958de02e7980c23e6121f1e

Download Submit
C:\Windows\tasksche.exe
Filesize
3MB

MD5
d2deffafa88eed37f5263b395767fd0b

SHA1
cf96cad2f905f022e59d1345fe211984dae32321

SHA256
71431f1a52800c3b1c0f6e7de9241089e0864d1e059b89504a15c3d2565bde66

SHA512
832d7bf0ba6425e265cf7e203ae4facfce4a19e07353fd69d036c557f1b1561a29dea4abc1fce0032bdd8b6cc97cd3fb7fbe0d2684d8df0edb2fb6b5dfbe4b25

Download Submit
memory/1368-132-0x0000000000000000-mapping.dmp

Download
memory/2108-140-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6MB

Download
memory/2108-141-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6MB

Download
memory/2184-133-0x0000000000000000-mapping.dmp

Download
memory/2184-136-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6MB

Download
memory/2184-139-0x0000000000400000-0x0000000000A72000-memory.dmp

Filesize
6MB

Download