Overview

overview

10

Static

static

d8ba498e04...bc.exe

windows7_x64

10

d8ba498e04...bc.exe

windows10_x64

1

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    15-05-2021 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8ba498e048da8aebc87acca0f5a3ff6252f0b378d63cb00c996b59f17fd96bc.exe

  • Size

    101KB

  • MD5

    ad8e8961f4300df833dc805049ad5e17

  • SHA1

    0c67135befbc2dc3c7e8af5bdb6e8a4dbb3c4bb3

  • SHA256

    d8ba498e048da8aebc87acca0f5a3ff6252f0b378d63cb00c996b59f17fd96bc

  • SHA512

    c9a98bcc1391ba1423164fc319dc2d71f82eff56f552175a66919ac2563975f5346c1fe9500b6195d16295309f11cce155ccdf6ea46e324460cc5e9eef035777

Score
10/10
wannacryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Modifies data under HKEY_USERS 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\wininit.exe
    wininit.exe
    1⤵
      PID:376
      • C:\Windows\system32\services.exe
        C:\Windows\system32\services.exe
        2⤵
          PID:472
          • C:\Windows\system32\taskhost.exe
            "taskhost.exe"
            3⤵
              PID:1128
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
              3⤵
                PID:1040
              • C:\Windows\System32\spoolsv.exe
                C:\Windows\System32\spoolsv.exe
                3⤵
                  PID:532
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k NetworkService
                  3⤵
                    PID:284
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs
                    3⤵
                      PID:872
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService
                      3⤵
                        PID:844
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                        3⤵
                          PID:808
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                          3⤵
                            PID:744
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k RPCSS
                            3⤵
                              PID:668
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k DcomLaunch
                              3⤵
                                PID:588
                                • C:\Windows\system32\wbem\wmiprvse.exe
                                  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                                  4⤵
                                    PID:1880
                                • C:\Windows\system32\sppsvc.exe
                                  C:\Windows\system32\sppsvc.exe
                                  3⤵
                                    PID:1680
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                                    3⤵
                                      PID:1752
                                    • C:\WINDOWS\mssecsvc.exe
                                      C:\WINDOWS\mssecsvc.exe -m security
                                      3⤵
                                      • Drops file in System32 directory
                                      • Modifies data under HKEY_USERS
                                      PID:804
                                  • C:\Windows\system32\lsass.exe
                                    C:\Windows\system32\lsass.exe
                                    2⤵
                                      PID:480
                                      • C:\WINDOWS\mssecsvc.exe
                                        C:\WINDOWS\mssecsvc.exe
                                        3⤵
                                        • Drops file in System32 directory
                                        • Drops file in Windows directory
                                        • Modifies data under HKEY_USERS
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious behavior: MapViewOfSection
                                        • Suspicious use of AdjustPrivilegeToken
                                        • Suspicious use of WriteProcessMemory
                                        PID:2012
                                      • C:\WINDOWS\mssecsvc.exe
                                        C:\WINDOWS\mssecsvc.exe
                                        3⤵
                                        • Drops file in System32 directory
                                        • Drops file in Windows directory
                                        • Modifies data under HKEY_USERS
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious behavior: MapViewOfSection
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1632
                                    • C:\Windows\system32\lsm.exe
                                      C:\Windows\system32\lsm.exe
                                      2⤵
                                        PID:488
                                    • C:\Windows\system32\csrss.exe
                                      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                      1⤵
                                        PID:384
                                      • C:\Windows\system32\winlogon.exe
                                        winlogon.exe
                                        1⤵
                                          PID:424
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                            PID:1272
                                            • C:\Users\Admin\AppData\Local\Temp\d8ba498e048da8aebc87acca0f5a3ff6252f0b378d63cb00c996b59f17fd96bc.exe
                                              "C:\Users\Admin\AppData\Local\Temp\d8ba498e048da8aebc87acca0f5a3ff6252f0b378d63cb00c996b59f17fd96bc.exe"
                                              2⤵
                                                PID:2032
                                            • C:\Windows\system32\Dwm.exe
                                              "C:\Windows\system32\Dwm.exe"
                                              1⤵
                                                PID:1196

                                              Network

                                              MITRE ATT&CK Matrix

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\WINDOWS\TASKSCHE.EXE
                                                MD5

                                                8499bd60a2ed89fb036d124fa5062c00

                                                SHA1

                                                148a30623f08c4f905e0ea30e9d41e20d0f1a981

                                                SHA256

                                                36a952a5ab46bd1304eee6b0e82b2348cda2967dab4080e3e0b44da94d2cef60

                                                SHA512

                                                bff0a6d95c603ba5a55f499d66f4db1acf3d7e0ca36f9b9120e0efcc9d077ac5b5d27676a1d37d6f5eebc68d3af98c3125a1489ea9b57187a0ba8914578854e1

                                                Download Submit
                                              • memory/804-65-0x000000007EF20000-0x000000007EF2C000-memory.dmp
                                                Filesize

                                                48KB

                                                Download
                                              • memory/2032-60-0x0000000076281000-0x0000000076283000-memory.dmp
                                                Filesize

                                                8KB

                                                Download