Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/07/2022, 07:46

General

  • Target

    62ed37a3261ee068f20ae40345d68dce.dll

  • Size

    5.0MB

  • MD5

    62ed37a3261ee068f20ae40345d68dce

  • SHA1

    7c576f3ddc9442b44f5345540cde155af694329e

  • SHA256

    630cfd1793a5d28904da942e5d84e386a13c03cd4c5270001a81f4025d57c077

  • SHA512

    d673c5c471f05ae3b32b02c4524db62f2d435ee295f77d1f9ff0ffb7a2e6c5811eee86e973d4967e767b4fc53bc721f805ad10c2ed3ae56f141e7f09c87b1c53

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3192) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in Windows directory 2 IoCs
  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\62ed37a3261ee068f20ae40345d68dce.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\62ed37a3261ee068f20ae40345d68dce.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3764
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1260
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 216
            5⤵
            • Program crash
            PID:2920
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 220
            5⤵
            • Program crash
            PID:2412
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    PID:4388
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1260 -ip 1260
    1⤵
      PID:3492
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1260 -ip 1260
      1⤵
        PID:3536

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\WINDOWS\mssecsvr.exe

              Filesize

              2.2MB

              MD5

              c4bad625b192a1ca49deec0d0bd624bc

              SHA1

              307cb2044420379c8d5102d11071a1b8370ee501

              SHA256

              e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff

              SHA512

              e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060

            • C:\WINDOWS\tasksche.exe

              Filesize

              2.0MB

              MD5

              ff6e8851801d2356c92cb126b2d3d917

              SHA1

              fd54c606869a037a1a185556db142bee37d44671

              SHA256

              ac277431dbb922802187413c2c726b2631b293f02d92da74ab4a2ac98cd0529b

              SHA512

              e21bcdd91007da09eade3ef0ae754890816623b4f9d2301458e4c141d1193284e3d4376b44342bcb50f9eed7001178a4791e61141b04471b4da88d5fca23d05c

            • C:\Windows\mssecsvr.exe

              Filesize

              2.2MB

              MD5

              c4bad625b192a1ca49deec0d0bd624bc

              SHA1

              307cb2044420379c8d5102d11071a1b8370ee501

              SHA256

              e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff

              SHA512

              e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060

            • C:\Windows\mssecsvr.exe

              Filesize

              2.2MB

              MD5

              c4bad625b192a1ca49deec0d0bd624bc

              SHA1

              307cb2044420379c8d5102d11071a1b8370ee501

              SHA256

              e7b3e643a52a7648320b817976cb96764075db281b457f36d06c94ce91adb4ff

              SHA512

              e7120451719c263737945dc9607e3419d71ea92b3f9ca3d10844523bfc3e592098a2ffb428fecb1035c6aa7c1870ab3988bd99f63f24bd1f4bd88639c8f4c060

            • C:\Windows\tasksche.exe

              Filesize

              2.0MB

              MD5

              ff6e8851801d2356c92cb126b2d3d917

              SHA1

              fd54c606869a037a1a185556db142bee37d44671

              SHA256

              ac277431dbb922802187413c2c726b2631b293f02d92da74ab4a2ac98cd0529b

              SHA512

              e21bcdd91007da09eade3ef0ae754890816623b4f9d2301458e4c141d1193284e3d4376b44342bcb50f9eed7001178a4791e61141b04471b4da88d5fca23d05c