Analysis

  • max time kernel
    153s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220718-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 07:36

General

  • Target

    83fd51535985071f14d083c143797233.dll

  • Size

    5.0MB

  • MD5

    83fd51535985071f14d083c143797233

  • SHA1

    7d639bcb93f9bf3afbcb71256e20986af30bceea

  • SHA256

    2e763503a70d6279bb00ac73127955280acdba20dc1ef6f5f9f1aa24098dfcf8

  • SHA512

    933d71b3cf7b452101720d1b73996663204fc6cbd35c7b4d7895e4869a16f9426ac1578e73287403965be5feaf97e039a522b92f5910bd088d6b2a7c3bfc8fbc

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3017) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\83fd51535985071f14d083c143797233.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\83fd51535985071f14d083c143797233.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:920
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4828
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2116
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:1028

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          6d5e97b9f93fc008b99e40c676901ae3

          SHA1

          f6111eaf56b1c03c3ac0fa6f65fce945f230538c

          SHA256

          4b8414f81b20f0635b02072a6b3d6de8b168892554331fa8231ff51334e40421

          SHA512

          017c055f7aea286082d96623c43133a1920754fe7f3e3006a0836e106031461d13e9a8bfafb27e78522a41ac9da0409625c84120959b0f22609bfc32f2c0087a

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          6d5e97b9f93fc008b99e40c676901ae3

          SHA1

          f6111eaf56b1c03c3ac0fa6f65fce945f230538c

          SHA256

          4b8414f81b20f0635b02072a6b3d6de8b168892554331fa8231ff51334e40421

          SHA512

          017c055f7aea286082d96623c43133a1920754fe7f3e3006a0836e106031461d13e9a8bfafb27e78522a41ac9da0409625c84120959b0f22609bfc32f2c0087a

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          6d5e97b9f93fc008b99e40c676901ae3

          SHA1

          f6111eaf56b1c03c3ac0fa6f65fce945f230538c

          SHA256

          4b8414f81b20f0635b02072a6b3d6de8b168892554331fa8231ff51334e40421

          SHA512

          017c055f7aea286082d96623c43133a1920754fe7f3e3006a0836e106031461d13e9a8bfafb27e78522a41ac9da0409625c84120959b0f22609bfc32f2c0087a

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          67d08a8ea0584d0c7a00c2179c8e010f

          SHA1

          317a7c1cf49cd6907e22444d63dea832d175d2a6

          SHA256

          eb3830d19e5e887593976dcf7a040f22bd2dbd43e911320113acb2e54654cf92

          SHA512

          c667afc72f6d933e555c96150e0ea465e5f2276e7c896d932f59dadf1a2008a1ab9aaf7d68df3dd0b7227d26394758699eb5f3c0818882d0ecd8d7e3a900a037