Overview

overview

10

Static

static

a431e6bb7c...1f.dll

windows7-x64

10

a431e6bb7c...1f.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 00:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a431e6bb7ce0b05dd9d9b408868b7d1f.dll

  • Size

    5.0MB

  • MD5

    a431e6bb7ce0b05dd9d9b408868b7d1f

  • SHA1

    1d0be1cfa868f8cc3038bf6deaa9ed38094bd13f

  • SHA256

    75eaa5ae72f3f366f85c32532a66aed56c797def2c5d67d7d53c233080555958

  • SHA512

    adaff706c8610e1bf6112e103575074f62548065212f225076b92e59d0df6f6cdd602763f81026b00481579b47ce2affaa308cdc76497cf2c3d75dca8a2a4000

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1315) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a431e6bb7ce0b05dd9d9b408868b7d1f.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a431e6bb7ce0b05dd9d9b408868b7d1f.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1996
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:560
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    0523c35edcf098f1ffd3130e9cc1bab0

    SHA1

    2295b78f0f4bd7d99d86d6c3597e298d0fdf943f

    SHA256

    47ce0898c048abd39f4bcb04343fcfa60c239f5739b4fa5bdc7a4ea5e94e0404

    SHA512

    ff5d9e295436f8961b580bfe9f250174c85c826b078f408fdab19afddbaf400a2b3546504a070c9f1ffceab55538066e8a9380e400372c35e893aff412bd9a94

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    0523c35edcf098f1ffd3130e9cc1bab0

    SHA1

    2295b78f0f4bd7d99d86d6c3597e298d0fdf943f

    SHA256

    47ce0898c048abd39f4bcb04343fcfa60c239f5739b4fa5bdc7a4ea5e94e0404

    SHA512

    ff5d9e295436f8961b580bfe9f250174c85c826b078f408fdab19afddbaf400a2b3546504a070c9f1ffceab55538066e8a9380e400372c35e893aff412bd9a94

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    0523c35edcf098f1ffd3130e9cc1bab0

    SHA1

    2295b78f0f4bd7d99d86d6c3597e298d0fdf943f

    SHA256

    47ce0898c048abd39f4bcb04343fcfa60c239f5739b4fa5bdc7a4ea5e94e0404

    SHA512

    ff5d9e295436f8961b580bfe9f250174c85c826b078f408fdab19afddbaf400a2b3546504a070c9f1ffceab55538066e8a9380e400372c35e893aff412bd9a94

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    d6e25dacaff6a9b0dc0607763dead608

    SHA1

    9dc162f9e3fee6f2f080caa679bc94cdc2da7deb

    SHA256

    7dad38154b0efcc10426d97d219effb12412931a43120e5eebbba789c0b7c163

    SHA512

    57ed736cc62a6bbcf2b1d7d810559525d92cedf412d8e6e8d415838867881fd43d4226c74f4a89184e680fc2daf40a6d0ed95f42814a1878da9c869afdcf8cc2

    Download Submit
  • memory/900-54-0x0000000000000000-mapping.dmp
    Download
  • memory/900-55-0x0000000076091000-0x0000000076093000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1996-56-0x0000000000000000-mapping.dmp
    Download