Overview

overview

10

Static

static

3

5731423bdd...f4.dll

windows7-x64

10

5731423bdd...f4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2023, 02:54

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    5731423bdd4b80b4e8a1909abef784f4.dll

  • Size

    5.0MB

  • MD5

    5731423bdd4b80b4e8a1909abef784f4

  • SHA1

    eb81706c0a8ba8374968aaa221bf09ade1e12f00

  • SHA256

    0373ca1f4a99994da7eda257fcf8bd7050a126287e1cbae051a063df5abe4959

  • SHA512

    e9aac8251a2f16678465fd20cbe7742087a66921cc7505fca5c053a5a189c4b2f92c8dcf8230dad758b84a1f98e3a234469c69aa4b4d1afaf7ccae9b5c946474

  • SSDEEP

    49152:RnhqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhn:1hqPoBhz1aRxcSUZk36SAEdh

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3213) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5731423bdd4b80b4e8a1909abef784f4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5731423bdd4b80b4e8a1909abef784f4.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:4228
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2472

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\WINDOWS\mssecsvr.exe
          Filesize

          2.2MB

          MD5

          f776768c678108a3a91893a184a8caad

          SHA1

          1681e4b030314d16011f510b970dc29db9ba45f9

          SHA256

          d5210c77c1efe449cd81312f235aaacaac647e330ad65e3ddcf47040ce11fdd1

          SHA512

          54aedff5e5ab80db9bcab5fc3d2b490ba5d548589cf1ffe195101ea44068a9aa72d68f281f1472c70d80488bbe0e521f1828aaadfb45490dff3816deda0a66be

          Download Submit

        • C:\Windows\mssecsvr.exe
          Filesize

          2.0MB

          MD5

          5eddabbe06fafce645c85b2b6d63ee9d

          SHA1

          628e4205b06108b11419ae1b4352ea6660b02626

          SHA256

          635da44e3b068ba8beb170040b5596b7e95d58a8a00bcb62def2f843751fc3ea

          SHA512

          abdf79ecb6c20bb7fc297328da1a7d51aaf528b8a11424b37e600b113ebff4b7f8e7e4bc4b9d5d878194ff7a5bf6c7ca5850f11ca5fd596d4280ec46fe8f0588

          Download Submit

        • C:\Windows\mssecsvr.exe
          Filesize

          1.0MB

          MD5

          60f6c8835e564b76c0a7f86e14181d0f

          SHA1

          9d93fd2ff6ffe40f7278fe8f2743ee5ec023645d

          SHA256

          c7f3a2e4a91b00d54016c255de134b6375149392da6edbc5dcaf3435e9f44549

          SHA512

          ac3b09bc423389bab528767e8cd277eaecfe894c59dfe755d654e00be83e3759fc7051116393f7fc3e9036fe76b4b3c0928f95569e390f22c50c0e1ecc0876d2

          Download Submit