Overview

overview

10

Static

static

a1118e338f...2b.dll

windows7-x64

10

a1118e338f...2b.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 02:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1118e338f2ae1b5837396edb09ea62b.dll

  • Size

    5.0MB

  • MD5

    a1118e338f2ae1b5837396edb09ea62b

  • SHA1

    6b1ad64df7639acdb8a7dce2a9ddb230ebb91096

  • SHA256

    15e65f0b7dfaa38ff7379b6ae524169761b01225ba178124cae538b692581ef6

  • SHA512

    371f4af2863f564199f9b3d908784528b971255378cf2d7206913cff6c9508b984900e2471677bbdd800df2a7ae18a9a968171034df3189c13224aee5c83b0ac

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1276) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1118e338f2ae1b5837396edb09ea62b.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a1118e338f2ae1b5837396edb09ea62b.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1828
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1112
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:948
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    39c86da8011c0cd923a9357842d678a0

    SHA1

    9c14c5be89ddf92cbd327ac8ee420b76bb043598

    SHA256

    d287e023385b885911765941a9c06c149d0c92d3d45aea4a014da3004aa849fe

    SHA512

    e25f27a8e8592ada9b4cc71163949e5749e0d8f4aa10abb01cef8521d6d574a93212824faa0a5aa0bbc7cbe376bd0ea87c0a4d5376f3275e1ad7ca8999513dcf

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    39c86da8011c0cd923a9357842d678a0

    SHA1

    9c14c5be89ddf92cbd327ac8ee420b76bb043598

    SHA256

    d287e023385b885911765941a9c06c149d0c92d3d45aea4a014da3004aa849fe

    SHA512

    e25f27a8e8592ada9b4cc71163949e5749e0d8f4aa10abb01cef8521d6d574a93212824faa0a5aa0bbc7cbe376bd0ea87c0a4d5376f3275e1ad7ca8999513dcf

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    39c86da8011c0cd923a9357842d678a0

    SHA1

    9c14c5be89ddf92cbd327ac8ee420b76bb043598

    SHA256

    d287e023385b885911765941a9c06c149d0c92d3d45aea4a014da3004aa849fe

    SHA512

    e25f27a8e8592ada9b4cc71163949e5749e0d8f4aa10abb01cef8521d6d574a93212824faa0a5aa0bbc7cbe376bd0ea87c0a4d5376f3275e1ad7ca8999513dcf

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    3475b0e7e1d749c9b1b174da8c01d190

    SHA1

    69f737f2f05c008b4348732155e73235e71603d9

    SHA256

    c66e7af0cf8c2882c6fa8db7973ae4ba045a03881514346fa3527e2c995329a9

    SHA512

    a35f6fdfdabc32416b526ff0f68735e8a4aa48e635355b5437767ba712adf09684cd53caccd9636369db0d41b3195e72673dd3a7a150916326445964de9f7df9

    Download Submit

  • memory/1112-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1828-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1828-55-0x0000000075871000-0x0000000075873000-memory.dmp

    Filesize

    8KB

    Download