Overview

overview

10

Static

static

3

dbab3402b2...d4.dll

windows7-x64

10

dbab3402b2...d4.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2024 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4.dll

  • Size

    5.0MB

  • MD5

    cbbb91e7466659503caa21c703befb5e

  • SHA1

    ccdef0353fcfd042c9c29db018e2e1f74887b2aa

  • SHA256

    dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4

  • SHA512

    c810a580e927d93131623130823c1a807aa62717a61e36860a71b932d8708c497505e39a2b88b5420a9031af5d633ec4abf1b8e0fe39f5ad8f02225a409622ff

  • SSDEEP

    98304:afPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVb:afPe1Cxcxk3ZAEUadzR8ycb

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3147) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1164
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:3364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvr.exe
    Filesize

    3.6MB

    MD5

    96e3c461420847b9db7e36187e0295b2

    SHA1

    ba254594bc52a9742568de2247024afdcdbf7cd2

    SHA256

    5ac63698228d139f0cc021450d71515546ad2906d2deb58016a6fc6309542b8b

    SHA512

    0f7753ae2a06e8986f55a08bbe29ef44ba2fba2ac627ce995cbb90cb1f6f9e1725e7aba779eb5a10f06d2160a8876d009f754bd2f59b3da56456760a001ed3f0

    Download Submit