Overview

overview

10

Static

static

364765063f...db.dll

windows7_x64

10

364765063f...db.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    203s
  • max time network
    211s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    26-06-2022 03:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db.dll

  • Size

    5.0MB

  • MD5

    d454cf8158b1432c4c9f508d09f4276f

  • SHA1

    18bec73433069e332cb776c0c72f49b0a6022318

  • SHA256

    364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db

  • SHA512

    7163ef196d4282da8ccc66ccde796b5216cd19dcfe526fd675c35a822035a3d93e49de2583b6656aad39c08fae2d6e60a8b28bb6d15c1d2cbd2e5b499a11837a

Score
10/10
wannacrydiscoveryransomwaresuricataworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata
  • suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata
  • Contacts a large (796) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:972
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\364765063f9d485bdc767450c15bb74c9d619a1de8614232049f6e359b7ec7db.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:908
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1824
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    7af921e9c5df8e3ec4e21d09852f511d

    SHA1

    a205a510bb5a70058c8084d390f00dfe59adaaf0

    SHA256

    b6d6ca9c80618d8699e38a426abe35821cee635a8f3c3b61b929ddc45d989062

    SHA512

    a66eb896d5114d91adf3593f39f4fab6306c455275b0dc9255ae1930e4473e8ad654ceb7680ccc4c5bb92aa3230aa590c7be1831a43f244ea81f912a358c5934

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    7af921e9c5df8e3ec4e21d09852f511d

    SHA1

    a205a510bb5a70058c8084d390f00dfe59adaaf0

    SHA256

    b6d6ca9c80618d8699e38a426abe35821cee635a8f3c3b61b929ddc45d989062

    SHA512

    a66eb896d5114d91adf3593f39f4fab6306c455275b0dc9255ae1930e4473e8ad654ceb7680ccc4c5bb92aa3230aa590c7be1831a43f244ea81f912a358c5934

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    7af921e9c5df8e3ec4e21d09852f511d

    SHA1

    a205a510bb5a70058c8084d390f00dfe59adaaf0

    SHA256

    b6d6ca9c80618d8699e38a426abe35821cee635a8f3c3b61b929ddc45d989062

    SHA512

    a66eb896d5114d91adf3593f39f4fab6306c455275b0dc9255ae1930e4473e8ad654ceb7680ccc4c5bb92aa3230aa590c7be1831a43f244ea81f912a358c5934

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    3a0b1030220320531da36737016d6736

    SHA1

    918af20cebd6fb6b017273e58a2cad2566890641

    SHA256

    da9a7273f12fc114ffc406b7f1507e8e1f5931662fa843b7719daea653846045

    SHA512

    ab923f025411895e663394680ca869d299b8eeb6e03c594530ddf42aca6565b0b6caf42fad1446e094a5356c4c8829a9b5a1a07d99223a1898f90750e018d5bf

    Download Submit

  • memory/908-56-0x0000000000000000-mapping.dmp

    Download

  • memory/960-54-0x0000000000000000-mapping.dmp

    Download

  • memory/960-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

    Filesize

    8KB

    Download