Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 06:29
Static task
static1
Behavioral task
behavioral1
Sample
996c2b2ca30180129c69352a3a3515e4 (1).dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
996c2b2ca30180129c69352a3a3515e4 (1).dll
Resource
win10v2004-20240226-en
General
-
Target
996c2b2ca30180129c69352a3a3515e4 (1).dll
-
Size
5.0MB
-
MD5
996c2b2ca30180129c69352a3a3515e4
-
SHA1
6d788a5a77719ef3157c409108909da2456bf996
-
SHA256
df6d5b29a97647bca44e2306069f7675ef992f591c8c761af99bbdc17cfa7692
-
SHA512
da2acf9fd0553b473802b6dd8cf35a0ac4e734f0a790f9c260db06f46f84ff452bd888297f662540bf60a895a3f196368d3e24d13dd9e0d4ca9e83d3cc1076de
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3191) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2524 mssecsvc.exe 3272 mssecsvc.exe 3340 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2488 wrote to memory of 4868 2488 rundll32.exe rundll32.exe PID 2488 wrote to memory of 4868 2488 rundll32.exe rundll32.exe PID 2488 wrote to memory of 4868 2488 rundll32.exe rundll32.exe PID 4868 wrote to memory of 2524 4868 rundll32.exe mssecsvc.exe PID 4868 wrote to memory of 2524 4868 rundll32.exe mssecsvc.exe PID 4868 wrote to memory of 2524 4868 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\996c2b2ca30180129c69352a3a3515e4 (1).dll",#11⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\996c2b2ca30180129c69352a3a3515e4 (1).dll",#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2524 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3340
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57339a0efc768310a86b6d4f61d88b910
SHA105cebfdb6729ed57ca111ae18b645335af7cf006
SHA25674d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0
SHA51283a892c1680f94d6422665f4374885350dd887add35f54fb6c1e11b2a99e04e5794fb56b1c3858da32dca86da01e5d842b3d489df84f54dc929f62c238c002fd
-
Filesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7