Overview

overview

10

Static

static

2d0095f2fe...15.dll

windows7_x64

10

2d0095f2fe...15.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    14-06-2022 20:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d0095f2fefbc0f89c491e1d78d3179d22c9b0b91fd93c1b1d91d12ed40b3515.dll

  • Size

    5.0MB

  • MD5

    e2fec3f5f8b0a02c8be11d256129e58c

  • SHA1

    b0425805b0fd4218606b981e3617cc9c8fdce127

  • SHA256

    2d0095f2fefbc0f89c491e1d78d3179d22c9b0b91fd93c1b1d91d12ed40b3515

  • SHA512

    9075a119e9ba4c3f70589250a9ab05980607274908dd9aedb1ef2a06aafe0150cf9bfbb4218299edd505579da7820c349b12f77f2d7bdc511f5a2fac733b2073

Score
10/10
wannacrydiscoveryransomwaresuricataworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata
  • suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata
  • Contacts a large (1293) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d0095f2fefbc0f89c491e1d78d3179d22c9b0b91fd93c1b1d91d12ed40b3515.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d0095f2fefbc0f89c491e1d78d3179d22c9b0b91fd93c1b1d91d12ed40b3515.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:904
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:624
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1180
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3dec15e4d3fdde40ecbf420c7371112e

    SHA1

    2d6bfb1c8df87802c020dea14085d057a85e2adb

    SHA256

    6cf08c6e607963144927a2961d1672444a923629ae0a7cfb11ac22c8b4078cd1

    SHA512

    5a10e566eca50dd140e0e0ebee32b0f649185ef666e1d437172397cdd122e9ad64f40d25b7ede2e03e7b09a4ddad8a6eaa48a48735e5de984d3bb6c67057a61d

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3dec15e4d3fdde40ecbf420c7371112e

    SHA1

    2d6bfb1c8df87802c020dea14085d057a85e2adb

    SHA256

    6cf08c6e607963144927a2961d1672444a923629ae0a7cfb11ac22c8b4078cd1

    SHA512

    5a10e566eca50dd140e0e0ebee32b0f649185ef666e1d437172397cdd122e9ad64f40d25b7ede2e03e7b09a4ddad8a6eaa48a48735e5de984d3bb6c67057a61d

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3dec15e4d3fdde40ecbf420c7371112e

    SHA1

    2d6bfb1c8df87802c020dea14085d057a85e2adb

    SHA256

    6cf08c6e607963144927a2961d1672444a923629ae0a7cfb11ac22c8b4078cd1

    SHA512

    5a10e566eca50dd140e0e0ebee32b0f649185ef666e1d437172397cdd122e9ad64f40d25b7ede2e03e7b09a4ddad8a6eaa48a48735e5de984d3bb6c67057a61d

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    fb9bd631e9f198744983a0e08ac8e7d7

    SHA1

    eb41fe04c75db97c0a6439f75bcb870dffdacb3f

    SHA256

    43e12632a26b499a82aa82b8633f52ddb7b035b323c2df474061388b88b0471f

    SHA512

    c35612de85d7eeee0920e979e16d711c12c24acdcc9c56390baf33d6beec8a9de6125d21292c8b21f80e53686e2587c87757ff94c76ebeaa0a34f7e44da10d42

    Download Submit

  • memory/624-56-0x0000000000000000-mapping.dmp

    Download

  • memory/904-54-0x0000000000000000-mapping.dmp

    Download

  • memory/904-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

    Filesize

    8KB

    Download