Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 01:55

General

  • Target

    78eae7fce7c9388446dc27ff213fe28b.dll

  • Size

    5.0MB

  • MD5

    78eae7fce7c9388446dc27ff213fe28b

  • SHA1

    4e153396fa78a220c583cac81198be16648d8c32

  • SHA256

    8b51945ada866301cd583744f4363bbeac1b7ec84ee78c0135824a2dc57f7244

  • SHA512

    4c4ceaf90e58740e8d74d8640eb2d4e6c765257c9c10fce683f046fd8d65492533329e127800d0b94300b1fe7435a6e03024af0dbd5390e92e00dcaa4fa1168d

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1282) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\78eae7fce7c9388446dc27ff213fe28b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\78eae7fce7c9388446dc27ff213fe28b.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:784
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1392
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1360

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    cacc6729c6beb693dedaeb6725c1f11e

    SHA1

    eca13474ed4342ae9425096d9af0751ba168e67c

    SHA256

    95c3d2057098f39398218abe9f59a684e90aefc53546cb3a3a35b40d2bc2f286

    SHA512

    5b767093a541668fd7b6486c7e1dbb08453f369a79a4d9aec22a25bc37e271de2c76a6a529d2ea01becd6b432d62c099776c1c54e738ee234e58441605cab447

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    cacc6729c6beb693dedaeb6725c1f11e

    SHA1

    eca13474ed4342ae9425096d9af0751ba168e67c

    SHA256

    95c3d2057098f39398218abe9f59a684e90aefc53546cb3a3a35b40d2bc2f286

    SHA512

    5b767093a541668fd7b6486c7e1dbb08453f369a79a4d9aec22a25bc37e271de2c76a6a529d2ea01becd6b432d62c099776c1c54e738ee234e58441605cab447

  • C:\Windows\mssecsvc.exe

    Filesize

    3.6MB

    MD5

    cacc6729c6beb693dedaeb6725c1f11e

    SHA1

    eca13474ed4342ae9425096d9af0751ba168e67c

    SHA256

    95c3d2057098f39398218abe9f59a684e90aefc53546cb3a3a35b40d2bc2f286

    SHA512

    5b767093a541668fd7b6486c7e1dbb08453f369a79a4d9aec22a25bc37e271de2c76a6a529d2ea01becd6b432d62c099776c1c54e738ee234e58441605cab447

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    e77b6f2af12d54a10c978b7f665c11c1

    SHA1

    2cf4a829a8598234f206d682b12387ef4017a09e

    SHA256

    edac81687e84c1433f1edcdbfb346a7b7fbb93365f98834fa6fc92821852d3e7

    SHA512

    81bdf8ea3f116c4921982901161274ff2e476003637fcc8b4fc47e3d29f6482ecd547d383978991ff8ff7474236595241a2dd99b975ace5dd4c8ee8125bf833f

  • memory/540-54-0x0000000000000000-mapping.dmp

  • memory/540-55-0x0000000075871000-0x0000000075873000-memory.dmp

    Filesize

    8KB

  • memory/784-56-0x0000000000000000-mapping.dmp