Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2022, 07:48

General

  • Target

    2fef747b9af97b5d5f51f6c8b78fc7e5.dll

  • Size

    5.0MB

  • MD5

    2fef747b9af97b5d5f51f6c8b78fc7e5

  • SHA1

    2819b156e2642287f6e5b8f3edf44be868f42398

  • SHA256

    eef05d989b43900560a8bee6a5dc777bbf3bbc2ce303000aa37143c5d5866ab4

  • SHA512

    dfaca04e2f9361388d69809f17511b845f7f265f28ef923bc817c02c324ba1ec4b787f293562f18c53bdf8b3429fcbb0861fe9751a0a8a8773579c424082914c

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (746) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fef747b9af97b5d5f51f6c8b78fc7e5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2fef747b9af97b5d5f51f6c8b78fc7e5.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1952
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1676
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1744

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          847552f3a002185c4a835f9591a97581

          SHA1

          3571a6c8c5f9eb76a246f1bcb7a274fb4f1cec7a

          SHA256

          a79301ea4e6776c0b655276aed6ba149c7cbf9a37c219c8dc22fb857e5df191b

          SHA512

          0136b37902aab5ddb58ae284b44d78c178351163631374cd5d69635eb4890ace8a437714d812f9d3e0e4b017f94e5cf2046dd00b356083ae5a5a36cfb1ce78d8

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          847552f3a002185c4a835f9591a97581

          SHA1

          3571a6c8c5f9eb76a246f1bcb7a274fb4f1cec7a

          SHA256

          a79301ea4e6776c0b655276aed6ba149c7cbf9a37c219c8dc22fb857e5df191b

          SHA512

          0136b37902aab5ddb58ae284b44d78c178351163631374cd5d69635eb4890ace8a437714d812f9d3e0e4b017f94e5cf2046dd00b356083ae5a5a36cfb1ce78d8

        • C:\Windows\mssecsvc.exe

          Filesize

          3.6MB

          MD5

          847552f3a002185c4a835f9591a97581

          SHA1

          3571a6c8c5f9eb76a246f1bcb7a274fb4f1cec7a

          SHA256

          a79301ea4e6776c0b655276aed6ba149c7cbf9a37c219c8dc22fb857e5df191b

          SHA512

          0136b37902aab5ddb58ae284b44d78c178351163631374cd5d69635eb4890ace8a437714d812f9d3e0e4b017f94e5cf2046dd00b356083ae5a5a36cfb1ce78d8

        • C:\Windows\tasksche.exe

          Filesize

          3.4MB

          MD5

          4ae2a7352491c1f756b738048a66e3e8

          SHA1

          12ab9b1ceeb165b3d3f5ede529d05f2c2a260436

          SHA256

          6d5c3b74f8bd7df577ee946df65e6d4baf85739c13daa7d3f71858cba94ef9a1

          SHA512

          c9e5cb8eeccd0159aa6a23a50005ea028e4d4e9b3c20afa73411de49331074dd5870330cfedbc5c4dcd02611c49703838aca7e4884395dafe12a9d6c6c4cf750

        • memory/608-55-0x0000000074F01000-0x0000000074F03000-memory.dmp

          Filesize

          8KB