Overview

overview

10

Static

static

2dec255306...ad.dll

windows7-x64

10

2dec255306...ad.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2dec2553068c0e7f3a4506bf410260ad.dll

  • Size

    5.0MB

  • MD5

    2dec2553068c0e7f3a4506bf410260ad

  • SHA1

    5970b85c06cbadf33567b1c05bc650e4a5978b31

  • SHA256

    f3422d64bb63fb12ffb95cee19fa02f14c83d7bffdfa443eb6a0c460da70d8dd

  • SHA512

    294811fc7352fc94a06bcd25e1cae2e2682ceddb633211ee156fa088c6dff727fa092cdde113bbbcb6cb24926b197f1eddd1974f49eb7e090e7e2eab1b073d8b

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1304) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\2dec2553068c0e7f3a4506bf410260ad.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\2dec2553068c0e7f3a4506bf410260ad.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:668
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1700
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    df432148530b9908d656f1bd759fbf2d

    SHA1

    5011840074ed8bc8c4085e76dc4eb5afc3f13024

    SHA256

    9ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d

    SHA512

    6fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    df432148530b9908d656f1bd759fbf2d

    SHA1

    5011840074ed8bc8c4085e76dc4eb5afc3f13024

    SHA256

    9ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d

    SHA512

    6fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    df432148530b9908d656f1bd759fbf2d

    SHA1

    5011840074ed8bc8c4085e76dc4eb5afc3f13024

    SHA256

    9ccc2ac991e53773acbccd1449c46e4b7c2fea759442fafa65b98746bb79ed4d

    SHA512

    6fcff0e0524a499946d2dfc549ef94971a7bcaffca4e0bd3371f9a043d69501eb0009c45ce7601604d84b8b12984e78e601b5196a306409d461ca5e4b2163fe0

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    76d06d2096fe49ac97c2bf21709bbba4

    SHA1

    a7df08006ceafb441271c615c2e1d67218ba81a1

    SHA256

    945f2bb56bfef539d0404194bb7a7ac1f79b2307c33c8b196078c7b16bba098c

    SHA512

    b29a68783506989f55eaf6bf160ab285f4579e62e8ca01ad9ef3f4cfd460832a703641a52332a4880b3f8e5d5a63cde897776dd2756b9b9e930280e8dcfd0031

    Download Submit
  • memory/668-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1188-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1188-55-0x0000000076031000-0x0000000076033000-memory.dmp
    Filesize

    8KB

    Download