Overview

overview

10

Static

static

2e67865b95...84.dll

windows10_x64

10

Resubmissions

24-06-2022 15:06

220624-sgy64adbbj 10

22-06-2022 08:47

220622-kpxz1aegd4 10

Analysis

  • max time kernel
    510s
  • max time network
    513s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    24-06-2022 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e67865b954436c36f6233e1cd7337e643f4369639a7c8f7175721e884981884.dll

  • Size

    5.0MB

  • MD5

    5d446ad3d84db7a2acad9b403129e072

  • SHA1

    38bb2766c0bf3f1a06ef60f4ec9d1cf35c878964

  • SHA256

    2e67865b954436c36f6233e1cd7337e643f4369639a7c8f7175721e884981884

  • SHA512

    3d376e294269ffdf5c18972512ca2e89d6735705318d51dd1d8d3ea12d0b301be052b979243cb1e9e546693d3f762083fcf58817a8b91b6555ffc97ff5758452

Score
10/10
wannacrydiscoveryransomwaresuricataworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata
  • suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata
  • Contacts a large (12096) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e67865b954436c36f6233e1cd7337e643f4369639a7c8f7175721e884981884.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2e67865b954436c36f6233e1cd7337e643f4369639a7c8f7175721e884981884.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4760
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:3604
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:4264
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4164
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.0.1340959341\649392795" -parentBuildID 20200403170909 -prefsHandle 1540 -prefMapHandle 1532 -prefsLen 1 -prefMapSize 219876 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 1624 gpu
        3⤵
          PID:2960
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.3.395993487\1860206558" -childID 1 -isForBrowser -prefsHandle 2240 -prefMapHandle 2236 -prefsLen 156 -prefMapSize 219876 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 2252 tab
          3⤵
            PID:4328
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4164.13.1475982280\243836777" -childID 2 -isForBrowser -prefsHandle 3428 -prefMapHandle 3424 -prefsLen 6932 -prefMapSize 219876 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4164 "\\.\pipe\gecko-crash-server-pipe.4164" 3436 tab
            3⤵
              PID:3488
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResizeConnect.m4a"
          1⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:4248
        • C:\Program Files\VideoLAN\VLC\vlc.exe
          "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResizeConnect.m4a"
          1⤵
            PID:4568

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Network Service Scanning

          2
          T1046

          Query Registry

          1
          T1012

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\WINDOWS\mssecsvc.exe
            Filesize

            3.6MB

            MD5

            7275da38bdca671dbe9bfc01ebc859dd

            SHA1

            99c470e374415fcee801bdc52d711bec3e36f926

            SHA256

            fd2dd2b09c2723552d39994294ae5d95b6184ef0f4a3287b88f5c69680b2f71d

            SHA512

            f23043fb423bb6112ca7e7f4846acb610f62326f71153b9378c72823deabb1cc1b8b994b41c2744b73e9819ab4bb98e4cba2a58a97762d4ac735d576e1d7cc52

            Download Submit
          • C:\Windows\mssecsvc.exe
            Filesize

            3.6MB

            MD5

            7275da38bdca671dbe9bfc01ebc859dd

            SHA1

            99c470e374415fcee801bdc52d711bec3e36f926

            SHA256

            fd2dd2b09c2723552d39994294ae5d95b6184ef0f4a3287b88f5c69680b2f71d

            SHA512

            f23043fb423bb6112ca7e7f4846acb610f62326f71153b9378c72823deabb1cc1b8b994b41c2744b73e9819ab4bb98e4cba2a58a97762d4ac735d576e1d7cc52

            Download Submit
          • C:\Windows\mssecsvc.exe
            Filesize

            3.6MB

            MD5

            7275da38bdca671dbe9bfc01ebc859dd

            SHA1

            99c470e374415fcee801bdc52d711bec3e36f926

            SHA256

            fd2dd2b09c2723552d39994294ae5d95b6184ef0f4a3287b88f5c69680b2f71d

            SHA512

            f23043fb423bb6112ca7e7f4846acb610f62326f71153b9378c72823deabb1cc1b8b994b41c2744b73e9819ab4bb98e4cba2a58a97762d4ac735d576e1d7cc52

            Download Submit
          • C:\Windows\tasksche.exe
            Filesize

            3.4MB

            MD5

            8f5fc431c3e7219a043634ac346c814d

            SHA1

            89d4d0a4da512a53da3f356019683624e5655e8f

            SHA256

            cb621e6a785b36e330ff614d850eebc76e50ff3380b23fbd6fa414791ce78f8c

            SHA512

            e1a688e5410e9feffd1a5d6394e548f5bd3b1fdfc3d94bf5b2de31b7159605c2aaf95fa07a11d9dd2939bba21e5e74beaa5bb56ff56f60e100a280cc6accaf4c

            Download Submit
          • memory/4680-145-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-127-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-116-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-117-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-118-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-119-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-120-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-121-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-122-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-123-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-124-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-125-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-126-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-144-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-128-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-129-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-131-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-130-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-132-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-133-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-134-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-135-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-136-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-138-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-139-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-140-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-141-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-137-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-142-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-143-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-148-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-146-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-152-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-115-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-114-0x0000000000000000-mapping.dmp
            Download
          • memory/4680-150-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-151-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-147-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-149-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-153-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-154-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-155-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-156-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-157-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4680-160-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-162-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-165-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-158-0x0000000000000000-mapping.dmp
            Download
          • memory/4760-173-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-167-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-161-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-166-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-172-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-169-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-181-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-163-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-171-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-164-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-174-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-175-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-176-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-177-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-178-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-179-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-180-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download
          • memory/4760-170-0x0000000077160000-0x00000000772EE000-memory.dmp
            Filesize

            1.6MB

            Download