Overview

overview

10

Static

static

c0c6cdd528...f5.dll

windows7-x64

10

c0c6cdd528...f5.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    155s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 01:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0c6cdd528c438532fe16b19c5302bf5.dll

  • Size

    5.0MB

  • MD5

    c0c6cdd528c438532fe16b19c5302bf5

  • SHA1

    2cda06ec3ed843e1c5778a91b8a2a3c1740f1a0e

  • SHA256

    7632930b27dfc20a2bd82a937b3dbf3edd5d8108c14f7fc9d083d5476a4b3fa0

  • SHA512

    9f5abda38300187b723ca90e113068f16f0a4b0ee1d0b00de0c6211ee339f2802883284b74f3755f64480e1c71fe01b58fb5e7009c094774fa2577983d67c301

Score
10/10
wannacrydiscoveryransomwareupxworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1197) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 5 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0c6cdd528c438532fe16b19c5302bf5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c0c6cdd528c438532fe16b19c5302bf5.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\WINDOWS\mssecsvcmgr.exe
          C:\WINDOWS\mssecsvcmgr.exe
          4⤵
          • Executes dropped EXE
          PID:904
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1784
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\WINDOWS\mssecsvcmgr.exe
      C:\WINDOWS\mssecsvcmgr.exe
      2⤵
      • Executes dropped EXE
      PID:676

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.7MB

    MD5

    e8ac4e9a26b8207b69884e4e2f30475d

    SHA1

    a060c2acc1e903e12ed52f96d1b5f7777bf18b28

    SHA256

    52752ecd2284e0565634dec194b9a917341996647d46e25b295139808c180b85

    SHA512

    845ee5ae658f0c4f80dadd70b6fa6d0fc26f8e55eb8110a119c2b428c9db6b6f207ebf49831556bf34a4dd4ca8ff02a72cc6fcf81cd3b726068130b36f8d6d83

    Download Submit

  • C:\WINDOWS\mssecsvcmgr.exe
    Filesize

    103KB

    MD5

    39ba7f790512d1af40cc864189175cb7

    SHA1

    da5f35bed908b1a0d08b7639d76cf2d711789e29

    SHA256

    b7bf5c2afcbb6f664966c7b2cd72ac8cc26f95199ff49a490550858e83a91e75

    SHA512

    0b59b197cf1123bacd7badb5b359ec17c45d99e297893a28b5130a724d6ba12465f361d7872ab3ebc527ae317735c1182d3d71bcd53b4773dbca3cd82ea1d76e

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.7MB

    MD5

    e8ac4e9a26b8207b69884e4e2f30475d

    SHA1

    a060c2acc1e903e12ed52f96d1b5f7777bf18b28

    SHA256

    52752ecd2284e0565634dec194b9a917341996647d46e25b295139808c180b85

    SHA512

    845ee5ae658f0c4f80dadd70b6fa6d0fc26f8e55eb8110a119c2b428c9db6b6f207ebf49831556bf34a4dd4ca8ff02a72cc6fcf81cd3b726068130b36f8d6d83

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.7MB

    MD5

    e8ac4e9a26b8207b69884e4e2f30475d

    SHA1

    a060c2acc1e903e12ed52f96d1b5f7777bf18b28

    SHA256

    52752ecd2284e0565634dec194b9a917341996647d46e25b295139808c180b85

    SHA512

    845ee5ae658f0c4f80dadd70b6fa6d0fc26f8e55eb8110a119c2b428c9db6b6f207ebf49831556bf34a4dd4ca8ff02a72cc6fcf81cd3b726068130b36f8d6d83

    Download Submit

  • C:\Windows\mssecsvcmgr.exe
    Filesize

    103KB

    MD5

    39ba7f790512d1af40cc864189175cb7

    SHA1

    da5f35bed908b1a0d08b7639d76cf2d711789e29

    SHA256

    b7bf5c2afcbb6f664966c7b2cd72ac8cc26f95199ff49a490550858e83a91e75

    SHA512

    0b59b197cf1123bacd7badb5b359ec17c45d99e297893a28b5130a724d6ba12465f361d7872ab3ebc527ae317735c1182d3d71bcd53b4773dbca3cd82ea1d76e

    Download Submit

  • C:\Windows\mssecsvcmgr.exe
    Filesize

    103KB

    MD5

    39ba7f790512d1af40cc864189175cb7

    SHA1

    da5f35bed908b1a0d08b7639d76cf2d711789e29

    SHA256

    b7bf5c2afcbb6f664966c7b2cd72ac8cc26f95199ff49a490550858e83a91e75

    SHA512

    0b59b197cf1123bacd7badb5b359ec17c45d99e297893a28b5130a724d6ba12465f361d7872ab3ebc527ae317735c1182d3d71bcd53b4773dbca3cd82ea1d76e

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    3233aced9279ef54267c479bba665b90

    SHA1

    0b2cc142386641901511269503cdf6f641fad305

    SHA256

    f60f8a6bcaf1384a0d6a76d3e88007a8604560b263d2b8aeee06fd74c9ee5b3b

    SHA512

    55f25c51ffb89d46f2a7d2ed9b67701e178bd68e74b71d757d5fa14bd9530a427104fc36116633033ead762ecf7960ab96429f5b0a085a701001c6832ba4555e

    Download Submit

  • memory/676-67-0x0000000000000000-mapping.dmp

    Download

  • memory/904-58-0x0000000000000000-mapping.dmp

    Download

  • memory/904-61-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1148-70-0x0000000000400000-0x0000000000A86000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1148-71-0x0000000000BA0000-0x0000000000BF4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1148-75-0x0000000000BA0000-0x0000000000BF4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1148-76-0x0000000000400000-0x0000000000A86000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2024-55-0x0000000075731000-0x0000000075733000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2024-54-0x0000000000000000-mapping.dmp

    Download

  • memory/2028-56-0x0000000000000000-mapping.dmp

    Download

  • memory/2028-63-0x0000000000230000-0x0000000000284000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2028-64-0x0000000000400000-0x0000000000A86000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2028-62-0x0000000000230000-0x0000000000284000-memory.dmp

    Filesize

    336KB

    Download

  • memory/2028-74-0x0000000000400000-0x0000000000A86000-memory.dmp

    Filesize

    6.5MB

    Download