Overview

overview

10

Static

static

3

f3178ae77d...9e.dll

windows7-x64

10

f3178ae77d...9e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f3178ae77df457f34b2b3a5e9f50bd9e.dll

  • Size

    5.0MB

  • MD5

    f3178ae77df457f34b2b3a5e9f50bd9e

  • SHA1

    af036d1febda4cb07ae8efe3961decaab50bea45

  • SHA256

    e033904d3cd18d9934335e78694a9c48f8cca7f1447479fe40f5e6ac8d55af25

  • SHA512

    133cbd4de24792b231b459f7b0e63bd55bed662c1ecc3a553a7b23858fa201197c40c6adf6a38bda8673dfebf066100e086b9a27d1f9be309cf742dd3a95effa

  • SSDEEP

    24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdPF58E9L:SnAQqMSPbcBVQej/1I/8E9L

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (3178) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3178ae77df457f34b2b3a5e9f50bd9e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f3178ae77df457f34b2b3a5e9f50bd9e.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2852
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2636
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    3309b9838fa3b66a046fca2740d4ee25

    SHA1

    72f022d07b424dfd4a552c571034e787f9f1279d

    SHA256

    a1dc8bc2e6dbc93980fa02f8b41627a7983a1c55ee0a6b6d6749ce88804eff0c

    SHA512

    83f60f85dad6ae78ffc1683b2b7b4091f390d60e8f9af99e3d476d664e786695b0566ebcda89022de7911016aa03afae3809d9fd089c94b902bae4959b43ac90

    Download Submit

  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    68b3f7c2334e7fcb13795d39aa2d5f3e

    SHA1

    47e5f3c7028362c18cc27415c19c166bd001144a

    SHA256

    969bf6584d54f32e06a4819c482207d01e16172026fb6a16711ba9728a05d564

    SHA512

    f80409415aaaf9e87a51a7baca0374e4c85779fcaf85205997069e35ec39f0aa1760df42468ccc493d238902e4e5b3683ee03cb6c60697c8094801c9f1d1a797

    Download Submit