Overview

overview

10

Static

static

eca094ab2d...8b.dll

windows7-x64

10

eca094ab2d...8b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 01:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eca094ab2d325e60b301e8deba35fa8b.dll

  • Size

    5.0MB

  • MD5

    eca094ab2d325e60b301e8deba35fa8b

  • SHA1

    9c4c8e778019818b146d0659c1219e423d06ccca

  • SHA256

    f88896ee7a238e282b6d70971f2113ee11da11ba8797d84d0f629ce0b6fbf3c5

  • SHA512

    c1703b8b131c8d1e7d62635c1862ab8a397e2722a797b83722add8200436e7a17e1da1fff64842d9e18752d02bf84f8e2c5e5ae417c8d377f1e1ab8a2a2c223d

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1234) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\eca094ab2d325e60b301e8deba35fa8b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\eca094ab2d325e60b301e8deba35fa8b.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1484
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1916
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:472
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:952

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    d33cda3e33c46c8fc18d648dffd56bad

    SHA1

    2805e04d687b06cf2a03c64ce1aab51549146e44

    SHA256

    dd554455be6d2adf8dcdf68b42c557b7d0e8e743ee2f3e0cdb0594641b45e39d

    SHA512

    00b93996cf1493d593e632bfe5b9b7a95f8b549403e03f37ddf14278c8a7e248e98b80214bd166f8f653c5ecbec22ed3f1933ec87fc09222159a2557030e78b6

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    d33cda3e33c46c8fc18d648dffd56bad

    SHA1

    2805e04d687b06cf2a03c64ce1aab51549146e44

    SHA256

    dd554455be6d2adf8dcdf68b42c557b7d0e8e743ee2f3e0cdb0594641b45e39d

    SHA512

    00b93996cf1493d593e632bfe5b9b7a95f8b549403e03f37ddf14278c8a7e248e98b80214bd166f8f653c5ecbec22ed3f1933ec87fc09222159a2557030e78b6

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    d33cda3e33c46c8fc18d648dffd56bad

    SHA1

    2805e04d687b06cf2a03c64ce1aab51549146e44

    SHA256

    dd554455be6d2adf8dcdf68b42c557b7d0e8e743ee2f3e0cdb0594641b45e39d

    SHA512

    00b93996cf1493d593e632bfe5b9b7a95f8b549403e03f37ddf14278c8a7e248e98b80214bd166f8f653c5ecbec22ed3f1933ec87fc09222159a2557030e78b6

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    6bd49aec118f6df4e2a7076dfbabfadd

    SHA1

    05304b7b4c61cf08f00f49e19cc85af9508b6ac4

    SHA256

    1b88ec91307d556ca5c95dad8ab28d65e4e11b02050889fd8b850b54445feee5

    SHA512

    f7c0472977984b3a5377bd095719684f2e42f28b802035144820811a7684b4e845537b334c41dc89eb765e8903d4aaf5eec76a065deac8018f5e32904696cc73

    Download Submit

  • memory/1484-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1484-55-0x00000000758B1000-0x00000000758B3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1916-56-0x0000000000000000-mapping.dmp

    Download