Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 03:07

General

  • Target

    20193d9b262e6a2f296073ea0855fed4.dll

  • Size

    5.0MB

  • MD5

    20193d9b262e6a2f296073ea0855fed4

  • SHA1

    f9f91e60280841308449b5f892fda0f4b5bbda3c

  • SHA256

    6420ae820a10cee7861431a1a69aeeeb4d42dba4280b0219a2be101a423eb4cf

  • SHA512

    b8f693a40fa17a0f0a87c3ae8207704dd0a724b52f44553161cf4e3fa83c2e89f4e0e55c402fe4b4246492bf645de30ae1ff1b160dc7a055e43abcb574677991

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1180) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\20193d9b262e6a2f296073ea0855fed4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\20193d9b262e6a2f296073ea0855fed4.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1888
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvr.exe

    Filesize

    2.2MB

    MD5

    193c96072c7a1ebf2bf8b012aca6bc54

    SHA1

    c082afb424fac4fef094d5ea5b824c1e7dfa9343

    SHA256

    68c619f094bf8754e606a0b884f9a2b64388c22501946d21245931f8953d01f8

    SHA512

    611bee64c679dedb0ed6f7306c2e2e4e7f09c9e4ec6ca09ae8731df2bcd398dd9e87b63504a4bee7777add752ba0b00fc2feef52c7395a8a2495f2d52e80e630

  • C:\Windows\mssecsvr.exe

    Filesize

    2.2MB

    MD5

    193c96072c7a1ebf2bf8b012aca6bc54

    SHA1

    c082afb424fac4fef094d5ea5b824c1e7dfa9343

    SHA256

    68c619f094bf8754e606a0b884f9a2b64388c22501946d21245931f8953d01f8

    SHA512

    611bee64c679dedb0ed6f7306c2e2e4e7f09c9e4ec6ca09ae8731df2bcd398dd9e87b63504a4bee7777add752ba0b00fc2feef52c7395a8a2495f2d52e80e630

  • C:\Windows\mssecsvr.exe

    Filesize

    2.2MB

    MD5

    193c96072c7a1ebf2bf8b012aca6bc54

    SHA1

    c082afb424fac4fef094d5ea5b824c1e7dfa9343

    SHA256

    68c619f094bf8754e606a0b884f9a2b64388c22501946d21245931f8953d01f8

    SHA512

    611bee64c679dedb0ed6f7306c2e2e4e7f09c9e4ec6ca09ae8731df2bcd398dd9e87b63504a4bee7777add752ba0b00fc2feef52c7395a8a2495f2d52e80e630

  • memory/1436-54-0x0000000000000000-mapping.dmp

  • memory/1436-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

    Filesize

    8KB

  • memory/1888-56-0x0000000000000000-mapping.dmp