Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-03-2024 16:24
Static task
static1
Behavioral task
behavioral1
Sample
ce223b231f2862124386c585e9b95ca1.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ce223b231f2862124386c585e9b95ca1.dll
Resource
win10v2004-20240226-en
General
-
Target
ce223b231f2862124386c585e9b95ca1.dll
-
Size
5.0MB
-
MD5
ce223b231f2862124386c585e9b95ca1
-
SHA1
61673e2be7e3479a818eb98339692bc7e4a5b79c
-
SHA256
92bc02116a72b13d359ba88e0984ea09d2eb230fbf711d92a0c961e08274a09e
-
SHA512
dede42923cae7167fcff56ae1131e6cb5a9c8ef14d76d1be84211504685d628fa1abf658a7ec89d0bca976c35ef6eb58f93e4f59ffcc4c27468e3e44c0ac4faa
-
SSDEEP
12288:TQbLgmluyQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXF5:MbLguVQhfdmMSirYbcMNgef0QeQjG
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (7583) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 2912 mssecsvr.exe 2716 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 3 IoCs
Processes:
mssecsvr.exemmc.exemmc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30} mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\WpadDecisionTime = d0e3d9ffd07eda01 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-25-47-96-8f-13 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\WpadDecisionReason = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\8e-25-47-96-8f-13 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\WpadNetworkName = "Network 3" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-25-47-96-8f-13\WpadDecisionReason = "1" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-25-47-96-8f-13\WpadDecisionTime = d0e3d9ffd07eda01 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-25-47-96-8f-13\WpadDecision = "0" mssecsvr.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
mmc.exemmc.exedescription pid process Token: SeSecurityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: 33 2300 mmc.exe Token: SeIncBasePriorityPrivilege 2300 mmc.exe Token: SeSecurityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe Token: 33 2452 mmc.exe Token: SeIncBasePriorityPrivilege 2452 mmc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mmc.exemmc.exepid process 2300 mmc.exe 2300 mmc.exe 2452 mmc.exe 2452 mmc.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exemmc.exemmc.exedescription pid process target process PID 2520 wrote to memory of 2764 2520 rundll32.exe rundll32.exe PID 2520 wrote to memory of 2764 2520 rundll32.exe rundll32.exe PID 2520 wrote to memory of 2764 2520 rundll32.exe rundll32.exe PID 2520 wrote to memory of 2764 2520 rundll32.exe rundll32.exe PID 2520 wrote to memory of 2764 2520 rundll32.exe rundll32.exe PID 2520 wrote to memory of 2764 2520 rundll32.exe rundll32.exe PID 2520 wrote to memory of 2764 2520 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2912 2764 rundll32.exe mssecsvr.exe PID 2764 wrote to memory of 2912 2764 rundll32.exe mssecsvr.exe PID 2764 wrote to memory of 2912 2764 rundll32.exe mssecsvr.exe PID 2764 wrote to memory of 2912 2764 rundll32.exe mssecsvr.exe PID 2300 wrote to memory of 112 2300 mmc.exe dw20.exe PID 2300 wrote to memory of 112 2300 mmc.exe dw20.exe PID 2300 wrote to memory of 112 2300 mmc.exe dw20.exe PID 2452 wrote to memory of 2684 2452 mmc.exe dw20.exe PID 2452 wrote to memory of 2684 2452 mmc.exe dw20.exe PID 2452 wrote to memory of 2684 2452 mmc.exe dw20.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce223b231f2862124386c585e9b95ca1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce223b231f2862124386c585e9b95ca1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2912
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2716
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 11882⤵PID:112
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 11962⤵PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD560a91a498c0f1ffddef484c5a4d42564
SHA1a15dcd408c0aee1f5f38b50528583bdee6536227
SHA25603dc66c9970481c5958d247f9eba93a6a7ad9f9bbf94845b9fbea8ed1e1e0757
SHA512e7b7a308227fc3c72d8d1bd262389257e1f2fa419f6ceff58f73a06f850245f6e1068ea74cf42388ee2ca2712d7b5d9a2ce0e6f7264c3885b82c1caa70891e55