Analysis
-
max time kernel
454s -
max time network
460s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25-03-2024 16:24
Static task
static1
Behavioral task
behavioral1
Sample
ce223b231f2862124386c585e9b95ca1.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ce223b231f2862124386c585e9b95ca1.dll
Resource
win10v2004-20240226-en
General
-
Target
ce223b231f2862124386c585e9b95ca1.dll
-
Size
5.0MB
-
MD5
ce223b231f2862124386c585e9b95ca1
-
SHA1
61673e2be7e3479a818eb98339692bc7e4a5b79c
-
SHA256
92bc02116a72b13d359ba88e0984ea09d2eb230fbf711d92a0c961e08274a09e
-
SHA512
dede42923cae7167fcff56ae1131e6cb5a9c8ef14d76d1be84211504685d628fa1abf658a7ec89d0bca976c35ef6eb58f93e4f59ffcc4c27468e3e44c0ac4faa
-
SSDEEP
12288:TQbLgmluyQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXF5:MbLguVQhfdmMSirYbcMNgef0QeQjG
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (11897) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exemssecsvr.exepid process 4564 mssecsvr.exe 4380 mssecsvr.exe 3216 mssecsvr.exe -
Drops file in System32 directory 2 IoCs
Processes:
mmc.exemmc.exedescription ioc process File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe File opened for modification C:\Windows\system32\eventvwr.msc mmc.exe -
Drops file in Windows directory 3 IoCs
Processes:
rundll32.exemssecsvr.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
mmc.exemmc.exepid process 1456 mmc.exe 3512 mmc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
mmc.exedescription pid process Token: SeSecurityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: SeSecurityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe Token: 33 1456 mmc.exe Token: SeIncBasePriorityPrivilege 1456 mmc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
mmc.exemmc.exepid process 1456 mmc.exe 1456 mmc.exe 3512 mmc.exe 3512 mmc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4776 wrote to memory of 5020 4776 rundll32.exe rundll32.exe PID 4776 wrote to memory of 5020 4776 rundll32.exe rundll32.exe PID 4776 wrote to memory of 5020 4776 rundll32.exe rundll32.exe PID 5020 wrote to memory of 4564 5020 rundll32.exe mssecsvr.exe PID 5020 wrote to memory of 4564 5020 rundll32.exe mssecsvr.exe PID 5020 wrote to memory of 4564 5020 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce223b231f2862124386c585e9b95ca1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ce223b231f2862124386c585e9b95ca1.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4564
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4380
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4132 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:81⤵PID:2580
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:692
-
C:\Windows\mssecsvr.exe"C:\Windows\mssecsvr.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3216
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58d8c0f9c3af155ceb1feaaffb5ba155f
SHA1f9492a829ae4e1ae8b03b9ccfee2b36b8ea09817
SHA256292ba75d958841b7bafc6ff7b6794a4bdb88b324216b3b33f2bb14447356de98
SHA5125da396421f2487085d02e09f81e4ee1ae84d967d8dd4bd5c911ef5ba13496eb92544d846af7b184948ea50a17a11bf0527554c3838870032b3f1ff8f88a7872b
-
Filesize
1KB
MD5d0970581271d0c28a1a7bece525d2f5a
SHA132267450b2555e3ce1b48f756bf84f250cfb0b36
SHA2569289ae1cabb7b69426bc7f7044a1e6d169ee09e1092513e4f98d9c0db54fe0c1
SHA5120238b34ecba9ba5d10a1eceadb553b827d5987543cd86ae5c38c6bce9a5622a3188315ae59e7fa98000af0ac266e1afd4a8054e6504f22b4fb4a1af12000c2c9
-
Filesize
1KB
MD5b3b4a29d6f98549de8ba4730c206cb13
SHA1b2263d9873648637273f45f0e56ca628f4035062
SHA25677167f6d47770ba10e286fe674480904fe1a60371f7d7a92629c54c4812c984d
SHA512b58751a002e3b611f93c6b932f16932133e4b9e6a6670fbed1fecf35b4d0c4894e43a63b5a116be578e8e0f8ab40f4193441e1ddba9fb1930b6478ead2fd56ca
-
Filesize
109B
MD5f31bd6fab0021178ea66e8cd8f0c051f
SHA1efb7a75e1ef7cc5649df5c25f528b47dad908b3b
SHA2564a6cd1e0bd61796623b25f14d9c58b188a9fa5e649964cd1a6dd50b5d4ddca77
SHA51239ed61f2451a0c97930b5a23d191587803d6fab132bb020bf19069f6f2172010f2099c0c56abffcc9aa9163c8fd9ad9e255e213a7bbd3548158458b051c9b131
-
Filesize
136KB
MD52234ca458e2999aea55785cd0a770868
SHA16afcee4a18a027590a7c96c1ef05e0b089bf7bb7
SHA2569626b1fb2cbe2c634cc7bd3ca1ecf244a0960f1823aabe9b0ba83038978ba146
SHA512246f3dc923cbe1f831afcd2c4a84e19d60a706adffe699fe4ea8aa2683e6464cbcbc7d5b6c29c977ed1c32b9c241d4d9ab397d2c469a3656a07dd7c1977b3ca8
-
Filesize
2.2MB
MD560a91a498c0f1ffddef484c5a4d42564
SHA1a15dcd408c0aee1f5f38b50528583bdee6536227
SHA25603dc66c9970481c5958d247f9eba93a6a7ad9f9bbf94845b9fbea8ed1e1e0757
SHA512e7b7a308227fc3c72d8d1bd262389257e1f2fa419f6ceff58f73a06f850245f6e1068ea74cf42388ee2ca2712d7b5d9a2ce0e6f7264c3885b82c1caa70891e55