Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:40

General

  • Target

    f1c1fc835aabddc1adc200e26acd0745.dll

  • Size

    5.0MB

  • MD5

    f1c1fc835aabddc1adc200e26acd0745

  • SHA1

    14bf8595ec6b87db66ed6ab6f5704110a0b787c6

  • SHA256

    a5dabe33b1721f3aa144e6bd3e5364521f3793a45c7ca9a07b28073bf20eff7b

  • SHA512

    38230e6d7d50319dff8241b6a83e10dd50c401338b92981eee43701ab00a19c08a0dc342ea6edb5baee7e80d9d4dbe0251e291c0c73d39aed675f78edb794104

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1282) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1c1fc835aabddc1adc200e26acd0745.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1c1fc835aabddc1adc200e26acd0745.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1504
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:320
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1576

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          f3039c7336e7f6d4328f94fa303dcced

          SHA1

          1677d4d93437e2d8515f35d6b26e1b00030bc03a

          SHA256

          d166b5c75449ef64b033e97b0d8ca7f3c4d4b24b8ddf45a19643df0e5aea8e9f

          SHA512

          3244ff12287276525595b64ca832fe8356454df6adf1a1de6cd07992a95595e6432ff85b9f9e496975fa8df4685a70fb68e18cf60fce666c6c58acd2c00c1f3c

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          f3039c7336e7f6d4328f94fa303dcced

          SHA1

          1677d4d93437e2d8515f35d6b26e1b00030bc03a

          SHA256

          d166b5c75449ef64b033e97b0d8ca7f3c4d4b24b8ddf45a19643df0e5aea8e9f

          SHA512

          3244ff12287276525595b64ca832fe8356454df6adf1a1de6cd07992a95595e6432ff85b9f9e496975fa8df4685a70fb68e18cf60fce666c6c58acd2c00c1f3c

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          f3039c7336e7f6d4328f94fa303dcced

          SHA1

          1677d4d93437e2d8515f35d6b26e1b00030bc03a

          SHA256

          d166b5c75449ef64b033e97b0d8ca7f3c4d4b24b8ddf45a19643df0e5aea8e9f

          SHA512

          3244ff12287276525595b64ca832fe8356454df6adf1a1de6cd07992a95595e6432ff85b9f9e496975fa8df4685a70fb68e18cf60fce666c6c58acd2c00c1f3c

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          435273746a63b67feb46ba53b3f57075

          SHA1

          1d9c9c6e3266061c6ad2a84466eec1b7153ff16c

          SHA256

          eec16823fe58cbed7d91ac56356e17a87af9f2488753e1f200c5bf5b46151db1

          SHA512

          c5a1c46361f3b4e55f17e3d335f668b6eefb07058d64f3019c70575e890ea9dba64731a692aa7b91a4873938c5c4f2798f4cb86bb73d20df9b53ff3a0ba440a5

        • memory/1956-55-0x0000000076021000-0x0000000076023000-memory.dmp

          Filesize

          8KB