Overview

overview

10

Static

static

00bc02b91a...4f.dll

windows7_x64

10

00bc02b91a...4f.dll

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00bc02b91a3850390e977e4b75f1f84f.dll

  • Size

    5.0MB

  • MD5

    00bc02b91a3850390e977e4b75f1f84f

  • SHA1

    73240c616134f1830a0ab8dd565284d92e238333

  • SHA256

    88489f32a5e8521eb18fc390aac403c729fccb579e5b23307ca487ec7c724ce1

  • SHA512

    7baaf5578589f6881334868c1c7a4739a7e2294cef4967f10db20d9280dff2379b0977c6bec9d7c57b50df0e064a71d9df7be39ce48605a5c32b868e927667a5

Score
10/10
wannacryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 216 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\00bc02b91a3850390e977e4b75f1f84f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:984
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\00bc02b91a3850390e977e4b75f1f84f.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3900
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:812
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2460
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1604
  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
    1⤵
    • Checks processor information in registry
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3736
    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3856
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6EF92534DF9374E2DB9505BE8B150A1C --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        3⤵
          PID:3992
        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AA5C11C524EA84599547E26BCD2D088B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AA5C11C524EA84599547E26BCD2D088B --renderer-client-id=2 --mojo-platform-channel-handle=1620 --allow-no-sandbox-job /prefetch:1
          3⤵
            PID:3620
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=50D7F3F481BA536D0694530263C74E71 --mojo-platform-channel-handle=2232 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
            3⤵
              PID:3156
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6AC02D31CD9AE819430C9A99459516A7 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
              3⤵
                PID:1596
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=27CFF21EEBD6FB9ABFAC8F1A5ED0E185 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                3⤵
                  PID:2728

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Modify Registry

            1
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\WINDOWS\mssecsvc.exe
              MD5

              8d9a4207429d7e829dc91955a1694d7e

              SHA1

              07f3c64ff5c68b3eafa417dab76c989fc9fff171

              SHA256

              17e5e0d52f4de23d3195ec2d93d366fefc7e59b6b20f71df12e7218313163da2

              SHA512

              98c5d9fd1a665446e8a443ed8d60cb250924386ce2d24d7501ec3b2d292240122a8916af1860d5d689177f582890226286ed8f0ed4e8cec5db2d024d8a88d70b

              Download Submit
            • C:\Windows\mssecsvc.exe
              MD5

              8d9a4207429d7e829dc91955a1694d7e

              SHA1

              07f3c64ff5c68b3eafa417dab76c989fc9fff171

              SHA256

              17e5e0d52f4de23d3195ec2d93d366fefc7e59b6b20f71df12e7218313163da2

              SHA512

              98c5d9fd1a665446e8a443ed8d60cb250924386ce2d24d7501ec3b2d292240122a8916af1860d5d689177f582890226286ed8f0ed4e8cec5db2d024d8a88d70b

              Download Submit
            • C:\Windows\mssecsvc.exe
              MD5

              8d9a4207429d7e829dc91955a1694d7e

              SHA1

              07f3c64ff5c68b3eafa417dab76c989fc9fff171

              SHA256

              17e5e0d52f4de23d3195ec2d93d366fefc7e59b6b20f71df12e7218313163da2

              SHA512

              98c5d9fd1a665446e8a443ed8d60cb250924386ce2d24d7501ec3b2d292240122a8916af1860d5d689177f582890226286ed8f0ed4e8cec5db2d024d8a88d70b

              Download Submit
            • C:\Windows\tasksche.exe
              MD5

              741b6e8f838fd37cdf0431551432b0e7

              SHA1

              1a480f81cb2308c28b3eaee24e04ef133ff2e41e

              SHA256

              3a4a89b71005c5233e592cc20d6fd06b21aeca3415554390e4365bb76eade469

              SHA512

              0e12d88c40ee38d717a8501bf67f63885afef54328105f4337d59c516f5a3f562e4fa4f7ec54e9afffa04a402918699c33b8d2ccc76b8e5c60c76de4d0fd9cac

              Download Submit
            • memory/812-3-0x0000000000000000-mapping.dmp
              Download
            • memory/1596-21-0x0000000000000000-mapping.dmp
              Download
            • memory/1596-20-0x0000000077132000-0x000000007713200C-memory.dmp
              Filesize

              12B

              Download
            • memory/2728-24-0x0000000000000000-mapping.dmp
              Download
            • memory/2728-23-0x0000000077132000-0x000000007713200C-memory.dmp
              Filesize

              12B

              Download
            • memory/3156-18-0x0000000000000000-mapping.dmp
              Download
            • memory/3156-17-0x0000000077132000-0x000000007713200C-memory.dmp
              Filesize

              12B

              Download
            • memory/3620-13-0x0000000000000000-mapping.dmp
              Download
            • memory/3620-12-0x0000000077132000-0x000000007713200C-memory.dmp
              Filesize

              12B

              Download
            • memory/3856-8-0x0000000000000000-mapping.dmp
              Download
            • memory/3900-2-0x0000000000000000-mapping.dmp
              Download
            • memory/3992-10-0x0000000000000000-mapping.dmp
              Download
            • memory/3992-9-0x0000000077132000-0x000000007713200C-memory.dmp
              Filesize

              12B

              Download