Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
ce223b231f2862124386c585e9b95ca1.dll
Resource
win10v2004-20240226-en
General
-
Target
ce223b231f2862124386c585e9b95ca1.dll
-
Size
5.0MB
-
MD5
ce223b231f2862124386c585e9b95ca1
-
SHA1
61673e2be7e3479a818eb98339692bc7e4a5b79c
-
SHA256
92bc02116a72b13d359ba88e0984ea09d2eb230fbf711d92a0c961e08274a09e
-
SHA512
dede42923cae7167fcff56ae1131e6cb5a9c8ef14d76d1be84211504685d628fa1abf658a7ec89d0bca976c35ef6eb58f93e4f59ffcc4c27468e3e44c0ac4faa
-
SSDEEP
12288:TQbLgmluyQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXF5:MbLguVQhfdmMSirYbcMNgef0QeQjG
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2513) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 1236 mssecsvr.exe 3960 mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe -
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4260 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 4820 OpenWith.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
OpenWith.exepid process 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe 4820 OpenWith.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
rundll32.exerundll32.exeOpenWith.exedescription pid process target process PID 1364 wrote to memory of 4016 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 4016 1364 rundll32.exe rundll32.exe PID 1364 wrote to memory of 4016 1364 rundll32.exe rundll32.exe PID 4016 wrote to memory of 1236 4016 rundll32.exe mssecsvr.exe PID 4016 wrote to memory of 1236 4016 rundll32.exe mssecsvr.exe PID 4016 wrote to memory of 1236 4016 rundll32.exe mssecsvr.exe PID 4820 wrote to memory of 4260 4820 OpenWith.exe NOTEPAD.EXE PID 4820 wrote to memory of 4260 4820 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce223b231f2862124386c585e9b95ca1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce223b231f2862124386c585e9b95ca1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1236
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3960
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4672
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\system32\taskschd.msc2⤵
- Opens file in notepad (likely ransom note)
PID:4260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD560a91a498c0f1ffddef484c5a4d42564
SHA1a15dcd408c0aee1f5f38b50528583bdee6536227
SHA25603dc66c9970481c5958d247f9eba93a6a7ad9f9bbf94845b9fbea8ed1e1e0757
SHA512e7b7a308227fc3c72d8d1bd262389257e1f2fa419f6ceff58f73a06f850245f6e1068ea74cf42388ee2ca2712d7b5d9a2ce0e6f7264c3885b82c1caa70891e55