Overview

overview

10

Static

static

c881745e13...20.dll

windows7-x64

10

c881745e13...20.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220718-en
  • resource tags

    arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
  • submitted
    20-07-2022 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c881745e136cd982aee1cb9edffb0020.dll

  • Size

    5.0MB

  • MD5

    c881745e136cd982aee1cb9edffb0020

  • SHA1

    962cd2f8af7855570494551376341e548fecc0ea

  • SHA256

    6086ceb5624ff6f841f35a6b75ae823288e7385c2ab3076b45e35a7b961c4da7

  • SHA512

    67c689326c4f7b6b4209cdfb22283551f782be71f2cd6119b4fb4abe7fa019c5f47f475ffc55429bdfcd8f87a105e5ead1552b0079347648e7cf658e7bb0b5dd

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (1005) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\c881745e136cd982aee1cb9edffb0020.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\c881745e136cd982aee1cb9edffb0020.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1412
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1808
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:956

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\WINDOWS\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    93ceb860c9f755d2437af5c0286a2678

    SHA1

    0f273760924065c9eb0edf2c719103b8abcef974

    SHA256

    9a8fb46cd6b8b8fc0846b1c8ec72a09948b203111e2945b6bda9b4326e4ff2eb

    SHA512

    fa2155e7ee2d69e3eabda47e0a32c8ee8fa6f9aa0881c95d00cd441dbfe0291758bf4b0571e4b7e9bb2945aa897fda6036d5102b64c6d8c72e8086b41b040708

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    93ceb860c9f755d2437af5c0286a2678

    SHA1

    0f273760924065c9eb0edf2c719103b8abcef974

    SHA256

    9a8fb46cd6b8b8fc0846b1c8ec72a09948b203111e2945b6bda9b4326e4ff2eb

    SHA512

    fa2155e7ee2d69e3eabda47e0a32c8ee8fa6f9aa0881c95d00cd441dbfe0291758bf4b0571e4b7e9bb2945aa897fda6036d5102b64c6d8c72e8086b41b040708

    Download Submit

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    93ceb860c9f755d2437af5c0286a2678

    SHA1

    0f273760924065c9eb0edf2c719103b8abcef974

    SHA256

    9a8fb46cd6b8b8fc0846b1c8ec72a09948b203111e2945b6bda9b4326e4ff2eb

    SHA512

    fa2155e7ee2d69e3eabda47e0a32c8ee8fa6f9aa0881c95d00cd441dbfe0291758bf4b0571e4b7e9bb2945aa897fda6036d5102b64c6d8c72e8086b41b040708

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    97bbd2ece4c729bb205791acdb78f4fd

    SHA1

    c4d9a76ceb0ba239e1836ea1cf0f667ce0e0b5d6

    SHA256

    1e268628cb68557ce923d7a9011dec0d8a56d59c791da278a977d5e9e52e4a9d

    SHA512

    351f673d22311df3408b87ab96fd8e5659abbd25f5dda3d2d4116ff58acd9d43c701fa6bdc29449e75dd66b143e7c9db737a9154d636cb7c5ef7fef16d7acb8f

    Download Submit

  • memory/1412-56-0x0000000000000000-mapping.dmp

    Download

  • memory/1772-54-0x0000000000000000-mapping.dmp

    Download

  • memory/1772-55-0x0000000075761000-0x0000000075763000-memory.dmp

    Filesize

    8KB

    Download