Overview

overview

10

Static

static

cab74b35aa...33.dll

windows7-x64

10

cab74b35aa...33.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 01:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cab74b35aa582da53c621a442ec5ee33.dll

  • Size

    5.0MB

  • MD5

    cab74b35aa582da53c621a442ec5ee33

  • SHA1

    87e97ce7279aaff6922972461d191145faeb146b

  • SHA256

    c9e8c8010647474018aa1d292410ba890c078b76ae463dc930e193ebce74f0f3

  • SHA512

    4510d367e4d32a74ce5e7651d5a8e72729a0f0e3e1aabdcc05630625c1e4e49f53745c2082a7336ecbd63cc9501f6577ec1e49f1a2931e59cc9e67c17150b3e8

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1295) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\cab74b35aa582da53c621a442ec5ee33.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1108
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\cab74b35aa582da53c621a442ec5ee33.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1712
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1508
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:804

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3c755b03e9e9fec0cc49f41f782537f2

    SHA1

    846730de455b9970f49885894617579e774becb7

    SHA256

    5425fe5ac1b27db1ece0a8caac949a45529019e7ebbd95451a0a0c7e2517ad83

    SHA512

    46921fd8c68693713f7f75e810c0fdbc78e0023f3b34bddc82746322f42e45882e51f29862ada90ce240d8cd6255e8d2ebb43059cd3e8bf329bf312813f7b066

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3c755b03e9e9fec0cc49f41f782537f2

    SHA1

    846730de455b9970f49885894617579e774becb7

    SHA256

    5425fe5ac1b27db1ece0a8caac949a45529019e7ebbd95451a0a0c7e2517ad83

    SHA512

    46921fd8c68693713f7f75e810c0fdbc78e0023f3b34bddc82746322f42e45882e51f29862ada90ce240d8cd6255e8d2ebb43059cd3e8bf329bf312813f7b066

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3c755b03e9e9fec0cc49f41f782537f2

    SHA1

    846730de455b9970f49885894617579e774becb7

    SHA256

    5425fe5ac1b27db1ece0a8caac949a45529019e7ebbd95451a0a0c7e2517ad83

    SHA512

    46921fd8c68693713f7f75e810c0fdbc78e0023f3b34bddc82746322f42e45882e51f29862ada90ce240d8cd6255e8d2ebb43059cd3e8bf329bf312813f7b066

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    31c9b44f83f41b723af7b344e42b83a4

    SHA1

    2598d6f7706571557ca690570e47a05ac49ab6fe

    SHA256

    7727a7815bf9d9f91792ebb5d1197350452843ed94c06bfd4e24315d17ef4b04

    SHA512

    8746b813b3bd74b6f07d0b538c9a50551d9923ef712092dc7a8e1bb6ddf594f6aa477628cf12b051e71f322216b948922195d678ca3fc5d2a59913db54791d0e

    Download Submit
  • memory/900-54-0x0000000000000000-mapping.dmp
    Download
  • memory/900-55-0x00000000762A1000-0x00000000762A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1712-56-0x0000000000000000-mapping.dmp
    Download