Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:46

General

  • Target

    62ed37a3261ee068f20ae40345d68dce.dll

  • Size

    5.0MB

  • MD5

    62ed37a3261ee068f20ae40345d68dce

  • SHA1

    7c576f3ddc9442b44f5345540cde155af694329e

  • SHA256

    630cfd1793a5d28904da942e5d84e386a13c03cd4c5270001a81f4025d57c077

  • SHA512

    d673c5c471f05ae3b32b02c4524db62f2d435ee295f77d1f9ff0ffb7a2e6c5811eee86e973d4967e767b4fc53bc721f805ad10c2ed3ae56f141e7f09c87b1c53

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (1270) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\62ed37a3261ee068f20ae40345d68dce.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:976
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\62ed37a3261ee068f20ae40345d68dce.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:636
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 36
            5⤵
            • Program crash
            PID:1284
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1200

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          c4bad625b192a1ca49deec0d0bd624bc

          SHA1

          307cb2044420379c8d5102d11071a1b8370ee501

          SHA256

          e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff

          SHA512

          e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060

        • C:\Windows\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          c4bad625b192a1ca49deec0d0bd624bc

          SHA1

          307cb2044420379c8d5102d11071a1b8370ee501

          SHA256

          e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff

          SHA512

          e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060

        • C:\Windows\mssecsvr.exe

          Filesize

          2.2MB

          MD5

          c4bad625b192a1ca49deec0d0bd624bc

          SHA1

          307cb2044420379c8d5102d11071a1b8370ee501

          SHA256

          e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff

          SHA512

          e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060

        • C:\Windows\tasksche.exe

          Filesize

          2.0MB

          MD5

          ff6e8851801d2356c92cb126b2d3d917

          SHA1

          fd54c606869a037a1a185556db142bee37d44671

          SHA256

          ac277431dbb922802187413c2c726b2631b293f02d92da74ab4a2ac98cd0529b

          SHA512

          e21bcdd91007da09eade3ef0ae754890816623b4f9d2301458e4c141d1193284e3d4376b44342bcb50f9eed7001178a4791e61141b04471b4da88d5fca23d05c

        • memory/1908-55-0x00000000768F1000-0x00000000768F3000-memory.dmp

          Filesize

          8KB