Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:35

General

  • Target

    5df2f4ccc627d69619aa273a910fef85.dll

  • Size

    5.0MB

  • MD5

    5df2f4ccc627d69619aa273a910fef85

  • SHA1

    4fede53863ca2ae77623389182a502eb4968f498

  • SHA256

    d33624a32697dc5e277efef5afddfc38177b5ee8c17cda21dbdcccdf593d0ba4

  • SHA512

    9aea89903625c921b166af00dba135f480790880d62855807f2161e5a652e16a96fa3f2bbf493d7b89d35f93200251f86823130b1468f7a9206a8e9df88d21e5

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1306) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5df2f4ccc627d69619aa273a910fef85.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1056
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5df2f4ccc627d69619aa273a910fef85.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:548
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1412

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          d9fd56d2a7600655725ed3346032b4c1

          SHA1

          89b55d839224ca29359ebd99bf396b70b6a7368d

          SHA256

          16b4b11cfcb5dd93cf4f73b71638afa83aa7d7505e8bf48fbdad3f0d9fcc00e3

          SHA512

          67ff6533ac616fe24f0f273f5de4d0220afedc60f001ce6be1f1726030ce48ff8bb3bce0068b0448a80761eabeff0774fa987e1eb1efc1d1d6e9d67e04544ff9

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          d9fd56d2a7600655725ed3346032b4c1

          SHA1

          89b55d839224ca29359ebd99bf396b70b6a7368d

          SHA256

          16b4b11cfcb5dd93cf4f73b71638afa83aa7d7505e8bf48fbdad3f0d9fcc00e3

          SHA512

          67ff6533ac616fe24f0f273f5de4d0220afedc60f001ce6be1f1726030ce48ff8bb3bce0068b0448a80761eabeff0774fa987e1eb1efc1d1d6e9d67e04544ff9

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          d9fd56d2a7600655725ed3346032b4c1

          SHA1

          89b55d839224ca29359ebd99bf396b70b6a7368d

          SHA256

          16b4b11cfcb5dd93cf4f73b71638afa83aa7d7505e8bf48fbdad3f0d9fcc00e3

          SHA512

          67ff6533ac616fe24f0f273f5de4d0220afedc60f001ce6be1f1726030ce48ff8bb3bce0068b0448a80761eabeff0774fa987e1eb1efc1d1d6e9d67e04544ff9

        • memory/2000-55-0x0000000074E11000-0x0000000074E13000-memory.dmp

          Filesize

          8KB