Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
220720-cdvfqsacd9.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
220720-cdvfqsacd9.dll
Resource
win10v2004-20240226-en
General
-
Target
220720-cdvfqsacd9.dll
-
Size
5.0MB
-
MD5
54abc6dbc947845d38762f53af7f2b16
-
SHA1
7376d7444a05dc21177496f10d0194eaedd66771
-
SHA256
4056238a615260bca116bd686070addc75a16a4c30ee20e805ffdec5c6df0cbb
-
SHA512
d4237b9685c151998308b306974e2e10cc36be530e5f63fa6ef0b4a08181d7cf501813a4e743436f0123c4100416580d2797e46bca1cdf0ea5ae4dfbd2c169b7
-
SSDEEP
49152:RnqqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1qqPoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 1032 mssecsvr.exe 2484 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 4 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3584 wrote to memory of 624 3584 rundll32.exe rundll32.exe PID 3584 wrote to memory of 624 3584 rundll32.exe rundll32.exe PID 3584 wrote to memory of 624 3584 rundll32.exe rundll32.exe PID 624 wrote to memory of 1032 624 rundll32.exe mssecsvr.exe PID 624 wrote to memory of 1032 624 rundll32.exe mssecsvr.exe PID 624 wrote to memory of 1032 624 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\220720-cdvfqsacd9.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\220720-cdvfqsacd9.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:624 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1032
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
MD5ba0ef8d46f752db201a5b32bf93507f0
SHA1ea32181726b1138f932217f0d20f771711dd47bb
SHA256abd2635551f06a4f504ebc39d0a67c2fe23ad74be2e7dd141184ba75b1b9c2d0
SHA512ecd0a2846ff9fd55476a2a26c80c52ebe5d304ae870d2960ad8ae7c65f290af1916ee63fcacfb7fd27d215a28b37b804d164d4817c78ced71992e804a438950c
-
Filesize
2.2MB
MD5ba72f8befa00aa3e36ca5822f4b0955d
SHA1f627e725fc59284212d32bad8b9e1f5890be76ed
SHA256f627890d60ebafc66e98a8d7c348a7a89a78301c1934d507a1f167be242de78b
SHA5120fc598c9ea0992d5751992d9ea5058799c6b6a5ea49d9a4084ae1f50568be7c3419c5f07c38b85b156143b77d472a048526c43fa103bd6d04195eb6a01b87661