Overview

overview

10

Static

static

da6ac53264...09.dll

windows7-x64

10

da6ac53264...09.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220715-en
  • resource tags

    arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da6ac5326498e7dfef73b0a8cf99a409.dll

  • Size

    5.0MB

  • MD5

    da6ac5326498e7dfef73b0a8cf99a409

  • SHA1

    d12a2d7f96c1a7448940332c94f537ecc9de59e1

  • SHA256

    f5d6e57c830007ae7acd9e604aa6e1e1f6a3d1fe834c6e680f2aa18c0fef9cac

  • SHA512

    d424bcb389c98d8985dd7f504cfe33cf4ac566aca2ed91376088f7d3d8c631f21031bbf74776c5d628f89528a6a2cb5a14785627b681ead39dccccb28d968ed2

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1258) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\da6ac5326498e7dfef73b0a8cf99a409.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\da6ac5326498e7dfef73b0a8cf99a409.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2008
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1248
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

1
T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    9ef67eb01f7edb9dd204529368627943

    SHA1

    383d52ca7a7e99f7053c7f4ebca692bd2445f07a

    SHA256

    96f416e0cba8262eb477cef07211c63cbe24e4b97e0cfd865049346d2f3e140f

    SHA512

    f60270827402f42c907bd042aa00ca7f59892aa94932addba103cd069086ad8c8d0d0018043ec789d43308923853139d22e1d8536b44e1e430523db555fcb8c7

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    9ef67eb01f7edb9dd204529368627943

    SHA1

    383d52ca7a7e99f7053c7f4ebca692bd2445f07a

    SHA256

    96f416e0cba8262eb477cef07211c63cbe24e4b97e0cfd865049346d2f3e140f

    SHA512

    f60270827402f42c907bd042aa00ca7f59892aa94932addba103cd069086ad8c8d0d0018043ec789d43308923853139d22e1d8536b44e1e430523db555fcb8c7

    Download Submit
  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    9ef67eb01f7edb9dd204529368627943

    SHA1

    383d52ca7a7e99f7053c7f4ebca692bd2445f07a

    SHA256

    96f416e0cba8262eb477cef07211c63cbe24e4b97e0cfd865049346d2f3e140f

    SHA512

    f60270827402f42c907bd042aa00ca7f59892aa94932addba103cd069086ad8c8d0d0018043ec789d43308923853139d22e1d8536b44e1e430523db555fcb8c7

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    82ed5400745e791e1652a1644c730a55

    SHA1

    6f69a63881e9f66664125ed1f5bbb181f60a9e15

    SHA256

    246f63172c1021f86f450872f28e4df9a7cacf6dfed420f50c62d489072f78b8

    SHA512

    38f924fd7da34ed02123df70ec8c2fd4aa87ebf7da8a4566863568d81672fd3df00c42778882f0bcf9de14e2d17dc0c29cd70d1595f0aa7f486dd2880c33c095

    Download Submit
  • memory/1992-54-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2008-56-0x0000000000000000-mapping.dmp
    Download