Analysis

  • max time kernel
    151s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:41

General

  • Target

    1f35108247eaaf84733eb8b52c958ec8.dll

  • Size

    5.0MB

  • MD5

    1f35108247eaaf84733eb8b52c958ec8

  • SHA1

    7d8b544ce7514205731a561cd85f8d36ac34dba3

  • SHA256

    15f2ff44943f7d6a2fe47be6b22a0c308b864a27d1eb21632c19d4f05183d8c3

  • SHA512

    5b6587df5b67577d0d962c4efa46b927f4f6022fff2fc6dc9eef0ea9be8d4e5620a540574c17404979b88c39f973a5f6d09a7d685601019eed4ba5ee7750a918

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1266) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f35108247eaaf84733eb8b52c958ec8.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1476
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\1f35108247eaaf84733eb8b52c958ec8.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1552
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1248
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1920

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          2f2834bb4287ef5f8a8869f05349e3c4

          SHA1

          0208240348bc6674490e39e69d2d7361589a1188

          SHA256

          bcd945d61c1d37ed40d0257908fbab44d7479f297b991d322a865094f48d89ee

          SHA512

          5e8327ab03d165347a73858d09df52e4247c93e2d852626e97f96551cf17cd8c14fc36f4e3161bbe3af891850213720f2df77d39f24d61bf2afe79d6214699c0

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          2f2834bb4287ef5f8a8869f05349e3c4

          SHA1

          0208240348bc6674490e39e69d2d7361589a1188

          SHA256

          bcd945d61c1d37ed40d0257908fbab44d7479f297b991d322a865094f48d89ee

          SHA512

          5e8327ab03d165347a73858d09df52e4247c93e2d852626e97f96551cf17cd8c14fc36f4e3161bbe3af891850213720f2df77d39f24d61bf2afe79d6214699c0

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          2f2834bb4287ef5f8a8869f05349e3c4

          SHA1

          0208240348bc6674490e39e69d2d7361589a1188

          SHA256

          bcd945d61c1d37ed40d0257908fbab44d7479f297b991d322a865094f48d89ee

          SHA512

          5e8327ab03d165347a73858d09df52e4247c93e2d852626e97f96551cf17cd8c14fc36f4e3161bbe3af891850213720f2df77d39f24d61bf2afe79d6214699c0

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          e780ce5605542e653b1ed9630c72bd68

          SHA1

          955eadd5f4bc03838feede6564d3741329ec5d7d

          SHA256

          898604dc098aa9ce39343e8dbcff40c2686c53ec3321cf356c42d336f87b1eaf

          SHA512

          5534979c0fa2ac7b2eb2f91e74a70722e77c04fe79447c2f0131e8298957355f7af07690bbff7e8f79bbe110dc3a793ee927d37c26b4f638db5860fed5ca0604

        • memory/1632-55-0x00000000760F1000-0x00000000760F3000-memory.dmp

          Filesize

          8KB