Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:46

General

  • Target

    9c30ed6837ce0a422697827dd7f2c2f0.dll

  • Size

    5.0MB

  • MD5

    9c30ed6837ce0a422697827dd7f2c2f0

  • SHA1

    53e08ab7b7fbad810b1dd7f8371266245910a445

  • SHA256

    2ff2a4b08a9b7786c46b7a2afc90121b83c9fac94641278aae01d65e896f4a2d

  • SHA512

    78cd1c2ab0b6765417998766dcace14b882987cead4457fbc32bcb0121ebf2dfd8edf35620458c4d4d31e3b592f2d52c9ca4c17d780495d47447d55fc94083f8

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (989) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9c30ed6837ce0a422697827dd7f2c2f0.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9c30ed6837ce0a422697827dd7f2c2f0.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:860
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1244
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1176

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          b88c1916a89289c0a2b5dc653a6c8d59

          SHA1

          887cac7ed35865c9c14f9196b0e282c159e997e6

          SHA256

          6a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6

          SHA512

          f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          b88c1916a89289c0a2b5dc653a6c8d59

          SHA1

          887cac7ed35865c9c14f9196b0e282c159e997e6

          SHA256

          6a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6

          SHA512

          f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          b88c1916a89289c0a2b5dc653a6c8d59

          SHA1

          887cac7ed35865c9c14f9196b0e282c159e997e6

          SHA256

          6a7789c59e834612c1407e0eeae5140bc93385f20e269c19e56f7d7890171bd6

          SHA512

          f9fa8f427f65b16140c60479c07cf5c8152556b2ddfcd1e2c7752c424a54b9378094428f38d86a4b6f6c08c0b72c4563205d60bdc2bccb585a23721686f606fd

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          774c854be940865edcc542e7c700e2a8

          SHA1

          7584db11fd1d7350ba77689c6121f1645b254378

          SHA256

          d2ec9d641e375cdc0c1ff1756980d044a58c10bb25bb3994bb273ee458da5bde

          SHA512

          65a4977574770e6f2d662fb99fa8b27d11694dc79c0abeb5029517c587cf17bab63cca01d9e40407b12ac9d42c01a185e8926c5144c9304b033e67f98f11b560

        • memory/1436-55-0x0000000076921000-0x0000000076923000-memory.dmp

          Filesize

          8KB