Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2022 03:18

General

  • Target

    833673f1109f028b77a5703bdd180bda.dll

  • Size

    5.0MB

  • MD5

    833673f1109f028b77a5703bdd180bda

  • SHA1

    c182af79cac9592bb4b4bbe5f507e70fe98e08ca

  • SHA256

    9bfd0ee288665f94b99c0bea0d7bdc55521fa761a2a8e0390481bf3a3f210cf7

  • SHA512

    29eda75865243498b123c7fe5c6b7b3bba40e5838dc41b27fabaa6b3c52bf81f824da3a51ece3ba5a978ca3e3b540c027cadec769d418d37104800f164908c24

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3184) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\833673f1109f028b77a5703bdd180bda.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\833673f1109f028b77a5703bdd180bda.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3840
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2732
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:1808

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvr.exe

    Filesize

    3.6MB

    MD5

    7bf8e812377b14c873b0a5c857ee0346

    SHA1

    05097523b6ac26a12ec1ed6a21ef11f153be2dd4

    SHA256

    0fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330

    SHA512

    d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a

  • C:\Windows\mssecsvr.exe

    Filesize

    3.6MB

    MD5

    7bf8e812377b14c873b0a5c857ee0346

    SHA1

    05097523b6ac26a12ec1ed6a21ef11f153be2dd4

    SHA256

    0fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330

    SHA512

    d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a

  • C:\Windows\mssecsvr.exe

    Filesize

    3.6MB

    MD5

    7bf8e812377b14c873b0a5c857ee0346

    SHA1

    05097523b6ac26a12ec1ed6a21ef11f153be2dd4

    SHA256

    0fb97a3bc05d33f4a5641f12a3491fa057e625a10b311613c5c41b8a950d8330

    SHA512

    d413a2935953f5aa55c170d10ac770f8d09513673c40ae900daf4e3378a9712e27456767cdafe03a8a961b8723e7676d02eea3cdc73df3cada4bf95f2622545a

  • memory/2732-131-0x0000000000000000-mapping.dmp

  • memory/3840-130-0x0000000000000000-mapping.dmp