Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:42

General

  • Target

    b9f7069adbd290e6d9ec6c97d9c98a53.dll

  • Size

    5.0MB

  • MD5

    b9f7069adbd290e6d9ec6c97d9c98a53

  • SHA1

    cc92098be427e8824f24d33f644e24f1332c1d8f

  • SHA256

    5d52eec99f5bb3342372f1667b61cd0297db540a84c091c358696073ce1dcbaa

  • SHA512

    946d812a115bb4fdc7198d5c7d5ca7569e3bf08f2bff13bc6acba80aca0672da62fad76b684750eca7766ba88c985ff5121dc3c65aa73962c33d6a5b61ec11b3

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1258) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9f7069adbd290e6d9ec6c97d9c98a53.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b9f7069adbd290e6d9ec6c97d9c98a53.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1836
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2008
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:320
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1308

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          36eaefe7bd29722caf93a2c35d43e26d

          SHA1

          83b3c33fa008122e5828d17c6546c8c732e97107

          SHA256

          6c3dcf66abc7ab7c0c6bccb492ad4ab3604b88796e3db6d79d025c4cbcfc077d

          SHA512

          a6db849ea99d2b4a3f04a0d0b9f9e8180404782624008e0049e3c7175ceeb29b2210d74e7430ee53f42968b3dd987241ed05672e1b7feeebe3aac56009ac5fae

        • C:\WINDOWS\tasksche.exe

          Filesize

          2.0MB

          MD5

          821d10b8f06f9d2dc7acd5ad9fd6fb01

          SHA1

          a94e5aef4d32e4b3d69c6c501905a9cf5c96b7a1

          SHA256

          a94ceffc16534405e9961cf2ebe70c5a9164db45346d9ed0262c14a7853be36f

          SHA512

          e2135b6aaa98c666207724697bd43b0bc8a34d1b25ecbad8e13db67988b0e4a00f3b489042f24cd24623cf31db5d564e0359110626409a82855e861dd2c060c1

        • C:\Windows\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          36eaefe7bd29722caf93a2c35d43e26d

          SHA1

          83b3c33fa008122e5828d17c6546c8c732e97107

          SHA256

          6c3dcf66abc7ab7c0c6bccb492ad4ab3604b88796e3db6d79d025c4cbcfc077d

          SHA512

          a6db849ea99d2b4a3f04a0d0b9f9e8180404782624008e0049e3c7175ceeb29b2210d74e7430ee53f42968b3dd987241ed05672e1b7feeebe3aac56009ac5fae

        • C:\Windows\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          36eaefe7bd29722caf93a2c35d43e26d

          SHA1

          83b3c33fa008122e5828d17c6546c8c732e97107

          SHA256

          6c3dcf66abc7ab7c0c6bccb492ad4ab3604b88796e3db6d79d025c4cbcfc077d

          SHA512

          a6db849ea99d2b4a3f04a0d0b9f9e8180404782624008e0049e3c7175ceeb29b2210d74e7430ee53f42968b3dd987241ed05672e1b7feeebe3aac56009ac5fae

        • C:\Windows\tasksche.exe

          Filesize

          2.0MB

          MD5

          821d10b8f06f9d2dc7acd5ad9fd6fb01

          SHA1

          a94e5aef4d32e4b3d69c6c501905a9cf5c96b7a1

          SHA256

          a94ceffc16534405e9961cf2ebe70c5a9164db45346d9ed0262c14a7853be36f

          SHA512

          e2135b6aaa98c666207724697bd43b0bc8a34d1b25ecbad8e13db67988b0e4a00f3b489042f24cd24623cf31db5d564e0359110626409a82855e861dd2c060c1

        • memory/1836-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

          Filesize

          8KB