Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-10-2024 14:18
General
-
Target
c88aa6e79e17b12670cecde5e185108a64afbbab12d789e5e97d131f96332945N.dll
-
Size
5.0MB
-
MD5
916205e7bd372f0b9208f6887be238d0
-
SHA1
57796cce4f7bf25fe4a7d34c22584b4d5dc8b93a
-
SHA256
c88aa6e79e17b12670cecde5e185108a64afbbab12d789e5e97d131f96332945
-
SHA512
df09c1859c1f73c9e4bb1df64f2b9e9e28fb8badd8d4522f1f04a15931764e0c1a904b198cfaafb90e3ce7861a02e6dbab9936cbeb419b59b18019eddfb436e1
-
SSDEEP
49152:unpEjbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:apUoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3071) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 5 IoCs
-
Drops file in Windows directory 4 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 24 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c88aa6e79e17b12670cecde5e185108a64afbbab12d789e5e97d131f96332945N.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c88aa6e79e17b12670cecde5e185108a64afbbab12d789e5e97d131f96332945N.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD55aafca3efd0b1bff9d7b98a517f4fc78
SHA126157238201eb9968329ee2ec7b11a64a510c676
SHA25656571071a4ff2044428400d411e5789c8bc0dfb550d9565afc91ac2a821bc0fb
SHA5120f8474131dc6653fb202ba8f6ad54c3ce2eefc57829cae6f8922cf04586ed909dc5fb3e77b8f6ca5b8d727b725dbf0543f50c57bac0ffc3984de5e7a9c3a5cf3
-
Filesize
2.0MB
MD5f1b717ebec2183e765246746a9b62c76
SHA181f170ef7d854fdc583da8b03bb63fecd64028ac
SHA256d0ff2fd8c8e68dc9b5bd2d1ae58cd44ad189fcd2ba5b3f3bc6d5a24062b58256
SHA512a0725be1c99657f00f92e16e56b68900272c06ab894f35836fe8277bf8249b7dd540e31c6b71af54c6593f9ec03cff28a4229f2ec1ec5b7aefb219bbd51dec09