Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:34

General

  • Target

    2b3e78c15dac89342f1877465e292d7d.dll

  • Size

    5.0MB

  • MD5

    2b3e78c15dac89342f1877465e292d7d

  • SHA1

    725bac5b57fd334266a3925e9e668fd04de9b6ad

  • SHA256

    b56e00696cb8d5c824569e48b544f17d07b2f5cd2985a35ab11598a2cc424c16

  • SHA512

    900c28a81f4cca92ce761473a68fa98742bf882fb2cb118bdb6d4ffb304a399c9ac8ed5bd5b7f686b2254745a2e95da5c57719df7270c82c2ab1211fcfe7fc80

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1245) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3e78c15dac89342f1877465e292d7d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3e78c15dac89342f1877465e292d7d.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1816
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1148
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:920
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1428

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          8fc1d22f4f7b401ae124feccf1b5c525

          SHA1

          2b44885b8cc7543446e5c4e1a14106e0d7db49b6

          SHA256

          fd9cd064d6e553e22254d6b1fcd746bf792428f0ab22fa8ca368ff9f41731ca8

          SHA512

          7cc5b2409dec6009e5f457356638f3c04f269f5bffd2e080d426a27b9837a924c634f80f5ba3f5e3a2cd5fee76b752b8577c516b4c7bc8e8852e859e96fcf526

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          8fc1d22f4f7b401ae124feccf1b5c525

          SHA1

          2b44885b8cc7543446e5c4e1a14106e0d7db49b6

          SHA256

          fd9cd064d6e553e22254d6b1fcd746bf792428f0ab22fa8ca368ff9f41731ca8

          SHA512

          7cc5b2409dec6009e5f457356638f3c04f269f5bffd2e080d426a27b9837a924c634f80f5ba3f5e3a2cd5fee76b752b8577c516b4c7bc8e8852e859e96fcf526

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          8fc1d22f4f7b401ae124feccf1b5c525

          SHA1

          2b44885b8cc7543446e5c4e1a14106e0d7db49b6

          SHA256

          fd9cd064d6e553e22254d6b1fcd746bf792428f0ab22fa8ca368ff9f41731ca8

          SHA512

          7cc5b2409dec6009e5f457356638f3c04f269f5bffd2e080d426a27b9837a924c634f80f5ba3f5e3a2cd5fee76b752b8577c516b4c7bc8e8852e859e96fcf526

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          c23c03d983d146043d45f4e78973850d

          SHA1

          52ea200315ab77573122ed7ac3d7be47139f9918

          SHA256

          80e211eca3c140f1a8168ec4fa5c49c7c366e3b8f14dd79301962df91e2fc890

          SHA512

          4790ffb1157609548f23048a3bb98074621e8947cd30e694c259a08012595aa218ae39cbeee47c470a958ab45805668b89efaa4a0676a24afea788e79caeade2

        • memory/1816-55-0x0000000075831000-0x0000000075833000-memory.dmp

          Filesize

          8KB