Overview

overview

10

Static

static

34d0130169...12.dll

windows7_x64

10

34d0130169...12.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-06-2022 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll

  • Size

    5.0MB

  • MD5

    ab02e31aa2a8ea6eecc684bfa2e3c185

  • SHA1

    6665249de09b0900743d45e141c0ec186d2e00b2

  • SHA256

    34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12

  • SHA512

    b3b8f69b5ee03890c41a4619d50dc3bcb569b5921395b226f52f790a53b553006e9ac9be417667a31664443bf7bf6cb0928c63873ffab4267268938afa6923b0

Score
10/10
wannacrydiscoveryransomwaresuricataworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata
  • suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata
  • Contacts a large (1066) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\34d01301694469e1cf68caa738db6cd0373bcc785649fb2f108fc39428554a12.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:944
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1200
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1184

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1
T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    944dcb3668f571b7156dd18f924438fc

    SHA1

    aed293f799bcda119e84d176406d442f04f8433a

    SHA256

    97d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825

    SHA512

    2ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    944dcb3668f571b7156dd18f924438fc

    SHA1

    aed293f799bcda119e84d176406d442f04f8433a

    SHA256

    97d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825

    SHA512

    2ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    944dcb3668f571b7156dd18f924438fc

    SHA1

    aed293f799bcda119e84d176406d442f04f8433a

    SHA256

    97d12bb65fc078d6d6bc006963e3fa5c91c7e495ea28257fed9c87b17971a825

    SHA512

    2ab60a73346f429962d2e912319f7b9bcb5b5951599642b7f47a00f3d68d60aadf9898581daa2653feecd8e4184615ba420ac30547bb35a7185d34e5025c39cf

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    5914e52020bf8dcc1832e5864c85b531

    SHA1

    15fc8b4e98241605e9cadf84801d6e573d6495da

    SHA256

    67952d1154d57ae8272db63f8f746c11763008332420737da6db50c81b018ec8

    SHA512

    53a2a4f3f09c137cc348a1126e805a471965fd24a58df081fd79f6de10fcd2d4ba7637139664ff6c5df119762f602b531c5e7f0d74410bdcfd3cc23193d86ed3

    Download Submit
  • memory/944-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1208-55-0x0000000076191000-0x0000000076193000-memory.dmp
    Filesize

    8KB

    Download