Overview

overview

10

Static

static

3

d0ef0a238e...4e.dll

windows7-x64

10

d0ef0a238e...4e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 18:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0ef0a238e213de530802850440cafeb7ca7ce2c28111b949f6ce5af5086724e.dll

  • Size

    5.0MB

  • MD5

    9bb7c669afb9fff7c5b97b608f7a7103

  • SHA1

    a943066c3d64c078a23e540606c90a61fd97fe8b

  • SHA256

    d0ef0a238e213de530802850440cafeb7ca7ce2c28111b949f6ce5af5086724e

  • SHA512

    ec5156b6b0137f6f5ba1c71b893d567d86e038f30a00094b51064ec37988e8969eb27c5017964bd91361117d4df88e5d3ad56e4fcd41d4886699a17504ba5dd1

  • SSDEEP

    98304:d8qPoBhz1aRxcSUDk36SAEdhhP55Vp2H:d8qPe1Cxcxk3ZAEFV4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3369) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0ef0a238e213de530802850440cafeb7ca7ce2c28111b949f6ce5af5086724e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0ef0a238e213de530802850440cafeb7ca7ce2c28111b949f6ce5af5086724e.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2952
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2660
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    d56dcdedbf678fd06a4eecad53a09b3d

    SHA1

    3576408f638b830b6d2174fe74806dbbc520ff7c

    SHA256

    f312b1653d618d3b6488e246d16c8b58a7fdbdfae040c4c2a3cac968e2246c21

    SHA512

    ca9f4bb373912c278e538ef957572bbac7cf674351784eb8a1095274729bf225c9310c77c2bcbca99f9cfa6fa8659f836ce54934fa3fe838dbe262bd1b875270

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    0edcb23e1b4a14ea237c945034cc1fa5

    SHA1

    098c6bf0738c156f110f59a0fbee8807a13e8292

    SHA256

    56aa953e31a7aa71659f4fb9333de189014656810fe12de3b215db6bf2a53939

    SHA512

    2b623def457a31c48daefae21ad7e75a79504a07dc8229b628ed9054e3ebddbf0d8bf98697f6519133bde0723b78fc5c803f0968734cc4fbaae21d7c565cb366

    Download Submit