Overview

overview

10

Static

static

3

5a9e809ef2...62.dll

windows7-x64

10

5a9e809ef2...62.dll

windows10-2004-x64

10

Resubmissions

22-01-2025 12:01

250122-n6weaavpgt 10

14-01-2025 19:59

250114-yqefyazner 10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2025 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5a9e809ef287470a50cef41df8897b62.dll

  • Size

    5.0MB

  • MD5

    5a9e809ef287470a50cef41df8897b62

  • SHA1

    ee0f5c896b5a2469f8776b78b173ab32a7f77c80

  • SHA256

    b7d8c3c4d8fa50ea3eb0ffac24904616e3b29659a56cb7f4835bf3348883db4f

  • SHA512

    cc418febb4768f43cf693f186d1255ab549ce72f45da5aaee8b871282eb3ad20611ac3e8a76e99ada507bfde430a353cdec6df41e53e9d2c1c92052bbb42a837

  • SSDEEP

    98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593:+DqPe1Cxcxk3ZAEUadz

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Wannacry family
    wannacry
  • Contacts a large (3292) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a9e809ef287470a50cef41df8897b62.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5a9e809ef287470a50cef41df8897b62.dll,#1
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:2968
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2684
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:2408
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\mssecsvc.exe
      Filesize

      3.6MB

      MD5

      c4aa4f0eb44ed580e3c8833f8b2392a7

      SHA1

      daa76bd19a0b71a74c55e3f2b2a328a8fde70f7a

      SHA256

      ccde3f6c80250b8e3b5709ef3a1375aa9f64b3e675ff495ec5549fe738af218e

      SHA512

      fc7dc6e62f193d9f863331c1fe56ab2b448555f590823e3ac22bb638de28edc115822d91bb8cc58b19376589ca9f9539511babe0c9563b7ccc489e8b4ec89726

      Download Submit

    • C:\Windows\tasksche.exe
      Filesize

      3.4MB

      MD5

      ae66aa60b12fe89c181aebc71ae5bae7

      SHA1

      e0681e1a1333954c44b6da481efffb7c2c723dd4

      SHA256

      0514b35217b984200ae41623961adab78f2f538bf2614eea067194d4d281f5fe

      SHA512

      d94e88919db665291220ae6dd33d2d34bd0c351f19eb25bf2ba722832fda9d97139e798f7ff77906995ee94d7252754fa1c46bcef3176d94ebb60c45fcbabf48

      Download Submit