Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 07:37

General

  • Target

    d30aa7aad0beb177a00f6af0946239b6.dll

  • Size

    5.0MB

  • MD5

    d30aa7aad0beb177a00f6af0946239b6

  • SHA1

    3ad164445af28132cb660566e69b0fbf90f72855

  • SHA256

    f6969106a17b8a55207264c2f32131870cb5c83cef4182eea9a6e3f4e7af49f8

  • SHA512

    bbb1fb3316f224655d88e85a05831132296a8214567c32ed58d8d8f4f828bc57b8b0eed45296835e683a33d3b90ab249b00c1e02c749b2cd4ea7b17f1e74d8c0

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3321) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d30aa7aad0beb177a00f6af0946239b6.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d30aa7aad0beb177a00f6af0946239b6.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4460
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4624

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          ab99254eb8ac5e75e056dade7d45966b

          SHA1

          0f6e413774e815b4cfe0fe03a975f6e52d250864

          SHA256

          0a6da0d644dc2e343c418abe052490abc54ea8ae8ed41db6e0842677425faab4

          SHA512

          32672194e66876dee6a3c269e4f7eb637bf0694069db432a88f631180d7da99725299bb9785ccc7c776f937ccdff644cd8525a5da0a6305d3d3f735868aa99e9

        • C:\Windows\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          ab99254eb8ac5e75e056dade7d45966b

          SHA1

          0f6e413774e815b4cfe0fe03a975f6e52d250864

          SHA256

          0a6da0d644dc2e343c418abe052490abc54ea8ae8ed41db6e0842677425faab4

          SHA512

          32672194e66876dee6a3c269e4f7eb637bf0694069db432a88f631180d7da99725299bb9785ccc7c776f937ccdff644cd8525a5da0a6305d3d3f735868aa99e9

        • C:\Windows\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          ab99254eb8ac5e75e056dade7d45966b

          SHA1

          0f6e413774e815b4cfe0fe03a975f6e52d250864

          SHA256

          0a6da0d644dc2e343c418abe052490abc54ea8ae8ed41db6e0842677425faab4

          SHA512

          32672194e66876dee6a3c269e4f7eb637bf0694069db432a88f631180d7da99725299bb9785ccc7c776f937ccdff644cd8525a5da0a6305d3d3f735868aa99e9