Overview

overview

10

Static

static

4c35693cad...c5.dll

windows7-x64

10

4c35693cad...c5.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 01:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4c35693cadb792e90bdddc8380b842c5.dll

  • Size

    5.0MB

  • MD5

    4c35693cadb792e90bdddc8380b842c5

  • SHA1

    746a147d80ad18a14675cd3ac6ab36732b005993

  • SHA256

    ec29f4db6e43c8bfad91f4d2910c6db42b975d33f7a51c69ea9e0dc9d400584f

  • SHA512

    74ae721343082477fc09ef865d595c2150b085bea7e935e52587946da0ac0f54296a85cacdd37c9b70518668ffaf55012e8f21feade02a433363217d92544630

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1306) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c35693cadb792e90bdddc8380b842c5.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c35693cadb792e90bdddc8380b842c5.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1948
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:908
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 36
            5⤵
            • Program crash
            PID:1588
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    4e9e7d540c73d79a641299c02154a342

    SHA1

    259a5feb4e5032d32474042aad4e3444da12df1d

    SHA256

    52f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5

    SHA512

    770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    4e9e7d540c73d79a641299c02154a342

    SHA1

    259a5feb4e5032d32474042aad4e3444da12df1d

    SHA256

    52f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5

    SHA512

    770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    4e9e7d540c73d79a641299c02154a342

    SHA1

    259a5feb4e5032d32474042aad4e3444da12df1d

    SHA256

    52f6872620f955c3ba83cb5b7662409317811a32890f1545c6aeeea851fd38a5

    SHA512

    770943a07fb2889071c3f2ae82d2db1340c871c2e95beb4fd8d64fec14451ce98c3ec7cfbc2097f6958f345f827b2de597742183530d32621793daf0c7c0c6c9

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    05b62993be8f2411988da09e828ea3a9

    SHA1

    a211ce025d3f266f8e60dbb5985d6b6bc6fbd795

    SHA256

    e1e1d0a7b950fee4294a3e8b8c944e215d9c9cd1aa718cc87d48c2bc2f71d149

    SHA512

    0fd8b0d191e1ef44da171bf261532394a87d5c766c49979f5061bd68d42452e741f9c6ae3dad6ff301db1c5069e533e63f6a976398c782da79b194f8da5e5559

    Download Submit
  • memory/908-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1016-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1016-55-0x0000000076081000-0x0000000076083000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1588-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1948-56-0x0000000000000000-mapping.dmp
    Download