Overview

overview

10

Static

static

3

96dd34bd8a...fN.dll

windows7-x64

10

96dd34bd8a...fN.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 19:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96dd34bd8af12ac28cb598988f67351ca47502d1b4a16c98066baa2191eb77afN.dll

  • Size

    5.0MB

  • MD5

    3dfde3406cf80d5438a3b33f73228530

  • SHA1

    4e410acd074c2d35e9e90212e72c2a1610e32851

  • SHA256

    96dd34bd8af12ac28cb598988f67351ca47502d1b4a16c98066baa2191eb77af

  • SHA512

    cc140074faab7a6c1e5e6a441278852f5c0aded1ca406b9832516d12291ec7acbd87ff797eb36f30070704bcbdaff1a9d9241854095a86ecf0f8cf0dbdc04118

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhb3R8yAVp2H:+DqPe1Cxcxk3ZAEHR8yc4H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (2499) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\96dd34bd8af12ac28cb598988f67351ca47502d1b4a16c98066baa2191eb77afN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4276
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\96dd34bd8af12ac28cb598988f67351ca47502d1b4a16c98066baa2191eb77afN.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1004
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4568
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:1640
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:3112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    c5b49436268a53d155790910af661336

    SHA1

    bb83a3f8ad419c92f3333f9126ba4d0dd0310151

    SHA256

    296c008a3ac825cd3e614a175bfabb4cd1081028c7b12e0c1c1039054cb865c2

    SHA512

    6a510d6363a94dc3403e0aae8a5a7a54d726e3d267480a33233d1546b84754e6d7835d606d520126784b1cc2509e9bfcde577e2604d142313bfb43a77ab03973

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    e45fa34e9e5a2f915b20f9551ac6f115

    SHA1

    c6a3ed6ef55d4892bbde29eb0c33272e6862f0c8

    SHA256

    3b807f3cb23c49f9da3352ed0187eb948a6ccf5a9b83c8fab2d1d0ffb9b3e9fd

    SHA512

    01d3b4c23c2a3852968e630871719ec4b9a072d2ba66d259df7b50fb0f6e9f3266967a2fed530f159b3dc55abd89de1650dffe6971365539a7bc8c940209978c

    Download Submit