Overview

overview

10

Static

static

3

b0c40cce2d...cf.dll

windows7-x64

10

b0c40cce2d...cf.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2025 03:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0c40cce2d2fd0acbc27c2367ae8e1493e7a6d4511152fb387532acba67017cf.dll

  • Size

    5.0MB

  • MD5

    49e38bc384b99902d6dca4754c63edee

  • SHA1

    0f893f6fea8f62a2092c292bacf1e1552332b780

  • SHA256

    b0c40cce2d2fd0acbc27c2367ae8e1493e7a6d4511152fb387532acba67017cf

  • SHA512

    da8ab02e69fbc15c44a7878694617436b5b8ab19b56a45675a4dfd2a604a51516531c60e48669ed39cc7475ae547abeb5cb9c0ea6b33be89917bf3212b18a7c0

  • SSDEEP

    12288:T1bLgmluCtgQbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D85SQeuB8:RbLgurgDdmMSirYbcMNgef0Xk+8

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (3222) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 2 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0c40cce2d2fd0acbc27c2367ae8e1493e7a6d4511152fb387532acba67017cf.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1908
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0c40cce2d2fd0acbc27c2367ae8e1493e7a6d4511152fb387532acba67017cf.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\WINDOWS\mssecsvr.exe
        C:\WINDOWS\mssecsvr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2972
  • C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:4724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvr.exe
    Filesize

    2.2MB

    MD5

    55929d228ed4b7663daf679c8b3106e1

    SHA1

    0dd8f29d3137143e033efa3e4ddd7289ed0c2421

    SHA256

    c453f10bb43cb8ef44226f74f705b50fef8271a6c3f10e1871b952bfaea02392

    SHA512

    87e7b8f6e30007ca5dbfec9f0fad804d9f2bb733de87608fbebd0e0e6d5ddc1a515de89d3a0bb9a3a74d6115d661ce85a18d2d0cdf4d0e37d9aa9458b84f017e

    Download Submit