Overview

overview

10

Static

static

06a935e7f8...b7.dll

windows7-x64

10

06a935e7f8...b7.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06a935e7f87cf2480e3fbc605c67bab7.dll

  • Size

    5.0MB

  • MD5

    06a935e7f87cf2480e3fbc605c67bab7

  • SHA1

    9a4099b70455c1665c905cf86388df9e058433a5

  • SHA256

    9a7fd407910092ac9920fc621865bbdd80f3385238834eb977812c664132618b

  • SHA512

    5d2add3b2855d6cae3fe7dfc1a611aa13897965d06aa86e955aa32f972b4c174691627251fd7145416b3d2462088bec5932e3a6687b878b4ed3f3f7966fd8f20

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1280) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\06a935e7f87cf2480e3fbc605c67bab7.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\06a935e7f87cf2480e3fbc605c67bab7.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2000
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:852

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    5bdb4efdc9ed8e2f54c35ca11daee0ee

    SHA1

    cc65e844959b6c2439d5bd2d352b473d56f73097

    SHA256

    50dce00e3bbf1f4500aa0d8518e1ae9b826e69ba3a02d008831e5ee9f93a10ec

    SHA512

    b727171ab3ef6e74d2eb85d2922f428158449ebea6a1ee0cc23239c2adc0875a13bcf62f8be0eebee08b74f6546e0efe2768a8fcad4dc9163bd1f5ae38d87639

    Download Submit
  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    5bdb4efdc9ed8e2f54c35ca11daee0ee

    SHA1

    cc65e844959b6c2439d5bd2d352b473d56f73097

    SHA256

    50dce00e3bbf1f4500aa0d8518e1ae9b826e69ba3a02d008831e5ee9f93a10ec

    SHA512

    b727171ab3ef6e74d2eb85d2922f428158449ebea6a1ee0cc23239c2adc0875a13bcf62f8be0eebee08b74f6546e0efe2768a8fcad4dc9163bd1f5ae38d87639

    Download Submit
  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    5bdb4efdc9ed8e2f54c35ca11daee0ee

    SHA1

    cc65e844959b6c2439d5bd2d352b473d56f73097

    SHA256

    50dce00e3bbf1f4500aa0d8518e1ae9b826e69ba3a02d008831e5ee9f93a10ec

    SHA512

    b727171ab3ef6e74d2eb85d2922f428158449ebea6a1ee0cc23239c2adc0875a13bcf62f8be0eebee08b74f6546e0efe2768a8fcad4dc9163bd1f5ae38d87639

    Download Submit
  • memory/2000-56-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-54-0x0000000000000000-mapping.dmp
    Download
  • memory/2012-55-0x00000000761D1000-0x00000000761D3000-memory.dmp
    Filesize

    8KB

    Download