Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:33

General

  • Target

    86f52c47bd6c4795e54aea3d133e7547.dll

  • Size

    5.0MB

  • MD5

    86f52c47bd6c4795e54aea3d133e7547

  • SHA1

    4e119e821c6b5f0f15e83b9dc05a5e199a349ce8

  • SHA256

    4bd9347edac2eba983f5f54e8c842c09a0c1b0104b41d92c7e68cd7ace1f270c

  • SHA512

    3f8fd43e16b7cb7fab1215dccaf399063127047a9e3ff016a1bdddd858637a146bec55fc92b376fb674e2506f01f1e8551a51957e56658ad6400c6d437b88172

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1292) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\86f52c47bd6c4795e54aea3d133e7547.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:308
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\86f52c47bd6c4795e54aea3d133e7547.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1908
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1700
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2020

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          7f6cab73801d7ca89a335b6c9b3e8bf9

          SHA1

          672508a5e795db895cc83dbfd48fcb52f15860f9

          SHA256

          74549f9d788694ac41ee24aa27dfca97249ca7287d1ba766c7cf30dc31113fa8

          SHA512

          571b6ee20e6438cd628845f3e03222ca8488800bff5cab7bba64a6616bee97f430d4171768aa8f65554814ac2dcab078157f6760dfea17824f5ee7ca9600beb6

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          7f6cab73801d7ca89a335b6c9b3e8bf9

          SHA1

          672508a5e795db895cc83dbfd48fcb52f15860f9

          SHA256

          74549f9d788694ac41ee24aa27dfca97249ca7287d1ba766c7cf30dc31113fa8

          SHA512

          571b6ee20e6438cd628845f3e03222ca8488800bff5cab7bba64a6616bee97f430d4171768aa8f65554814ac2dcab078157f6760dfea17824f5ee7ca9600beb6

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          7f6cab73801d7ca89a335b6c9b3e8bf9

          SHA1

          672508a5e795db895cc83dbfd48fcb52f15860f9

          SHA256

          74549f9d788694ac41ee24aa27dfca97249ca7287d1ba766c7cf30dc31113fa8

          SHA512

          571b6ee20e6438cd628845f3e03222ca8488800bff5cab7bba64a6616bee97f430d4171768aa8f65554814ac2dcab078157f6760dfea17824f5ee7ca9600beb6

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          60e22b8e0b0f6d32106487d4fd4f5298

          SHA1

          9d24a3c4be0ccb192456ab497a2cab4c43dac029

          SHA256

          f291bc9153171bc9a4e87a98bda82f707f6abcd1ba8c7b5cec2c913c8adc6874

          SHA512

          1b45ee887821883372a3e15f1181f0ea57dc3d666f58a60b97379d6caed8585330048fa840cb0c384e27d0c6edfd6ac2194b99fa43688da5ea7d5215ac216071

        • memory/1124-55-0x0000000075481000-0x0000000075483000-memory.dmp

          Filesize

          8KB