Overview

overview

10

Static

static

41f69f5fe8...f5.dll

windows7_x64

10

41f69f5fe8...f5.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    08-07-2022 04:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll

  • Size

    5.0MB

  • MD5

    ad46e85c3890145837f40e4f26720a87

  • SHA1

    6e349a578fcbd339f54f718caf9371a887c5665f

  • SHA256

    41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5

  • SHA512

    dc7146efa798f3b3194b30c49bfa82a47f09f4f961afacebdff6065c3fbd89c67f251aabf18da29b718c344a9b02727493353ea8347e0f4dd164315690dbbed4

Score
10/10
wannacrydiscoveryransomwaresuricataworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata: ET MALWARE Known Sinkhole Response Kryptos Logic

    suricata
  • suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata: ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

    suricata
  • Contacts a large (1290) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\41f69f5fe88422ba11f593ce216cee84775c5c896defb9eab391fa06bcc24cf5.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1456
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:268
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1
T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    134bf392d1f94f6769ddd428008d9649

    SHA1

    de91f6fffce478eaa2aafccf1781439968965447

    SHA256

    bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b

    SHA512

    7555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    134bf392d1f94f6769ddd428008d9649

    SHA1

    de91f6fffce478eaa2aafccf1781439968965447

    SHA256

    bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b

    SHA512

    7555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    134bf392d1f94f6769ddd428008d9649

    SHA1

    de91f6fffce478eaa2aafccf1781439968965447

    SHA256

    bfc2651980c65c67db98f202bf72e063dab60dc7714e7ed33a5f0a5ffa6f2c3b

    SHA512

    7555e446aa60008cadf567425429579ef5f98aa88580e9b97f49e52191338026d2c13a6da697f0b0e99c90aa37f97a29ae715994b0b57f30896dded8c426f2e5

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    302259d656616b116cf96d64964a471a

    SHA1

    a74de128df0e7e243e9d8b474e155675e13ba4b0

    SHA256

    332b33d2ae5b777ff16b03de5d5b345abb9630fe0a27b85277a79710aa010c0e

    SHA512

    00b0e5a7cf50d6759ecc406d626fa0e0ecb499125afcc2785b91de0b967a19f1ae677587e9106f59f5249acdda2acf87643da6ac45e7a8b0212b28d1edfc47d6

    Download Submit
  • memory/1456-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-55-0x0000000075391000-0x0000000075393000-memory.dmp
    Filesize

    8KB

    Download