Analysis
-
max time kernel
165s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
220725-dddnnabfh8.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
220725-dddnnabfh8.dll
Resource
win10v2004-20240226-en
General
-
Target
220725-dddnnabfh8.dll
-
Size
5.0MB
-
MD5
1af38678dc693d8653223ae4856fd2a4
-
SHA1
fa2dd12ab5ec307438b6fd10dbaab6d7e9622696
-
SHA256
568457a3f7f57435846704179136e37112f51ef842c3c5c5dc50126ef4f662a2
-
SHA512
c4eadd07c58aa50fe9656c1259e218ba430e7f2f6b6a84280b4f2122e70c40481c4f7346119f50e0028f8ee4f6a5484108d4cc35e80a0ab1f34da66edb38d4a1
-
SSDEEP
12288:jvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D:LbLgddQhfdmMSirYbcMNgef0
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3029) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1616 mssecsvc.exe 3568 mssecsvc.exe 1500 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 880 wrote to memory of 2904 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 2904 880 rundll32.exe rundll32.exe PID 880 wrote to memory of 2904 880 rundll32.exe rundll32.exe PID 2904 wrote to memory of 1616 2904 rundll32.exe mssecsvc.exe PID 2904 wrote to memory of 1616 2904 rundll32.exe mssecsvc.exe PID 2904 wrote to memory of 1616 2904 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\220725-dddnnabfh8.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\220725-dddnnabfh8.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1616 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1500
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5590da9206761814afd7a9c560f7e78ff
SHA11ca5c3917d39d3e2a076dfd3852c1f323059b6d9
SHA256de83d05c74abf769489dd1326e8ce83db138cb74b499098b50c1bc75d5d084d2
SHA512736bf5cb314903db04f0f38f8c22d0e340f882f17869dc64a457859868ab0dd7062a1a8228ac7c29c1199a5aa0109c28c35c63e84087bd14852f5c2c7e60684e
-
Filesize
2.1MB
MD5f319f1dd234d560ddda279365d35ec0a
SHA107a28c82675d838eec4010f58438fd94ef565e19
SHA2566177385751cd976688ba43f86a23225720e62cadff121683f00bf1240a670a80
SHA512007fc9fbfb1fae99141b781b7c56b8485b8c59786cc4a8d6f5d35ec332659ea5922df7d33e6b88102d69e8bb13b85e0c96c7b8a2a467b7bcac3ae533bfe3cdee
-
Filesize
1.6MB
MD5b07c697642d5ca058e18ed77888e2c08
SHA177007d99ddb1fa3dc12e9ac1d196d763b5055cc1
SHA2568d179730db241b1030a14ad04316aa729780f6d8b54913e39600c9e4b3e87671
SHA512767f33fb103af0f50504dc0101bfcc703000beb376b976027a14110b9ae3c3c28c7d21bbb14d4b32271685e8fba816addbfc1ea437d2f4afeb48b8f1460dcec0