Overview

overview

10

Static

static

3

a56e5450cf...72.dll

windows7-x64

10

a56e5450cf...72.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2024 01:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72.dll

  • Size

    5.0MB

  • MD5

    aa62c5bae918f4d52c52a32fbc27f0a9

  • SHA1

    3c337bfc1f06bd236a2a19b583d09980f4af076a

  • SHA256

    a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72

  • SHA512

    50863f4a5047492bb7b271beee9a4b499d6d33c26f696caa207025c42a39f701db244bf4c17cb9c428b766a6db0c063ae62d2af3058119b6a7ab92940c204b03

  • SSDEEP

    98304:TDqPoBhz1aRxcSUDkn6SAEdhvxWa9P593R8yAVp2H:TDqPe1CxcxknZAEUadzR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (3284) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2528
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2256
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    a1f604a8258ca8df0d4466fdc6b71ded

    SHA1

    4ee04369b4bef78d37adfec37e01227bc2766572

    SHA256

    8cee9ce56f1a958d285d34c03cd47e1b3fa15b27dd142994f992e7b837981500

    SHA512

    43b00f08a21bc7bf074d839ad1c07aa2cdc16c08a4f9557e9dc70bafe97bd5dc52d88f9902b3fc3b6c2c7cefcaf610f860e9e23bd833e6ab8098e400b8d62162

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    be9858384a5352c00667fccbab091bc2

    SHA1

    2ffdef1cd77c680cd6b38390e29a8d1044cc51c0

    SHA256

    181ed2fbf4f2ed4fb186faf5d15b05e342e8f24ba5d9b7cbde786a1e70b0ca27

    SHA512

    ff520c4587fb44e34e92dc437c6221ce421c178e76a5f9a52826e8dd289e372d3b8ca778160efa35ebd104b32d5ce2467f549edf75aa28293fa0c736bcbec5ad

    Download Submit