Resubmissions

10-10-2022 13:41

221010-qzcdyacaa6 10

10-10-2022 11:24

221010-nhp8csbfb7 10

Analysis

  • max time kernel
    61s
  • max time network
    63s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10-10-2022 13:41

General

  • Target

    d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll

  • Size

    5.0MB

  • MD5

    64f90ae0b16ad69df763d4172bf7b121

  • SHA1

    cd13b94c91bcc035464c28ca953b1fca990f59d5

  • SHA256

    d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7

  • SHA512

    4d3987cf1e8f6d19f9d7c2009a579deb4793bba89fa12087a865ab4638b20183068520e656d0573974fd8ff8cc6b555f1b6289251d0864852412b070590b88fe

  • SSDEEP

    49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9Z:+DqPoBhz1aRxcSUDk36SAEdhvxWa9Z

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d085c477ebf60d0deb312b8a1e3aa08a04c0a61acb6f8085463e3f230314edc7.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2040
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1188
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    797d5d31c4e6c1accb2cbfddec8d66b9

    SHA1

    dd5d04b01214dffdd75c575eefd342026c66a39d

    SHA256

    bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd

    SHA512

    ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    797d5d31c4e6c1accb2cbfddec8d66b9

    SHA1

    dd5d04b01214dffdd75c575eefd342026c66a39d

    SHA256

    bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd

    SHA512

    ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    797d5d31c4e6c1accb2cbfddec8d66b9

    SHA1

    dd5d04b01214dffdd75c575eefd342026c66a39d

    SHA256

    bbc4e7f739d9e7f38a343fc018bf5df9d654ed1a52dcaf00b6cc6cfdc8b18cbd

    SHA512

    ec26bd4120474d5a996a61c202befb548b5add6ac933986f6a992d050f00ccc3ebe49d19dc6946479da5605067df7b02f26f56e64855b029721f8789ae563e42

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    04af554ac498ed9e1353a8751bee6001

    SHA1

    077c84f26b471c1b0075490d89fdfc5de6f7b9af

    SHA256

    84b63d5d32bdbc8570257cbd5592c37626c1808a662ad70ae8972a75b4c61158

    SHA512

    9fb261d4f2cedd26934df9f15f9044c22beaecbe109646fd0604b615344a9be124598018844b18b4a6e279df2431dba0158c9cf566036ecbbd3681e6e97e866a

  • memory/1176-54-0x0000000000000000-mapping.dmp
  • memory/1176-55-0x00000000762D1000-0x00000000762D3000-memory.dmp
    Filesize

    8KB

  • memory/2040-56-0x0000000000000000-mapping.dmp