Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:39

General

  • Target

    ff0ec5621475e217fa6d2fea39b9a37e.dll

  • Size

    5.0MB

  • MD5

    ff0ec5621475e217fa6d2fea39b9a37e

  • SHA1

    dddceadfd6396ea7ead3aec4429c22ec0359f408

  • SHA256

    b9029c845771376e90d6f199449b5c2c337ddccb242f376223f54bc2df44fdc6

  • SHA512

    5ec084bd18132daafd2abe81803686e121c6bfc3787bbfac12f52caf78b11b22188d330e13d6bced7e1e89f964c4d0032afdec97afe91ae33054a68ba3ca943d

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1276) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff0ec5621475e217fa6d2fea39b9a37e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\ff0ec5621475e217fa6d2fea39b9a37e.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1040
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1768
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:912

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          bce37f9a46dd6e5ed17db4c24a28dc7f

          SHA1

          f6735933b157c30cb02af4e76b541e8e3d4de019

          SHA256

          304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2

          SHA512

          2174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          bce37f9a46dd6e5ed17db4c24a28dc7f

          SHA1

          f6735933b157c30cb02af4e76b541e8e3d4de019

          SHA256

          304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2

          SHA512

          2174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          bce37f9a46dd6e5ed17db4c24a28dc7f

          SHA1

          f6735933b157c30cb02af4e76b541e8e3d4de019

          SHA256

          304677e6ad30803ebfc8f28a17d7b383c868ee3bf78b854188bbe0acb7e74fb2

          SHA512

          2174eddacb0bcc795e93fdaf72905983fcbffe8a092dbfecff97a3b0b0c988a3d1acdbc721a156539bd22b0c01dc378647b50a15d4ac4f351ef51967be0877da

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          16226b9dab177f18ec44f297a2d0e86a

          SHA1

          40d9d09f08376b07b73d8f70374151a2c0fa5bf4

          SHA256

          81f1a0cb09387321278177d55442f1c32fecff59c579584dd2e4e52753a8b315

          SHA512

          79f24ba409412140c148936d1ccabb876c671a56c72c6641200f272cf2ced278ab88e32a610b00f709e3b129123800c119aa10521e0f1d9123f1078f8b07d283

        • memory/1316-55-0x00000000749D1000-0x00000000749D3000-memory.dmp

          Filesize

          8KB