Overview

overview

10

Static

static

3

fa40bdbdd5...44.dll

windows7-x64

10

fa40bdbdd5...44.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    02-07-2024 20:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944.dll

  • Size

    5.0MB

  • MD5

    5818d137c6c7324aa05a01c8c3cfe9d9

  • SHA1

    58a75425a9e7331de5f9d62d74d5ab063df90996

  • SHA256

    fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944

  • SHA512

    8caf9bf9c3e9225be105814d9a41a10f4a680962e260507a46f4cd9f4d4a610f79ee62c80e019c3b6d2a367e9383e2ddb902ec33568aa625270e053689f44370

  • SSDEEP

    98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2P:d8qPe1Cxcxk3ZAEUadzR8yc4P

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3208) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2980
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:2992
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1928
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    2ccb64920bb12c6e0c2c615eeff3e45b

    SHA1

    4ce549d9647cad21e770846802dfd26c822ee0e9

    SHA256

    e06694e7c6d670ecc8522fc1d05864cdf717da848c853993a091cf90b53e051b

    SHA512

    d95ab9128915a088f8efd15743714fac4ac7928deb0f7fa25bb0bd44133ac65e3371ced697a69463aed897b4a7b830fd6561c869613923fe02ea2eebcef38a87

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    fc9c1d282075ad5f323a527d191b66f0

    SHA1

    f6b1c944d90d736229567f702be1b640f101bcd7

    SHA256

    0ddef7acfdff6f07d415548ac0ebd022534f8ad725e94acec4b3f1660bc66ab4

    SHA512

    69d4ccefd8edf27add09c691388849f54a70abefb62825d3f5d507448bb6f55e985848297ec2fcbdca755ff3e142aa0eea9f60a25e48aec03f77e04ecefac1e2

    Download Submit