Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 21:45
Static task
static1
Behavioral task
behavioral1
Sample
538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll
Resource
win10v2004-20240426-en
General
-
Target
538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll
-
Size
5.0MB
-
MD5
7c0ada776091154a2cb1015bcac66d65
-
SHA1
14b85e1558e891542fcc3fd71e2ab2068537112b
-
SHA256
538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786
-
SHA512
1ced5f1536b4fd61b49dfb16e3eca0777f8b1c7387a4ecc1de889027ae219c507f1d6a4ad921496352a6a09f1c616338fbcd7636a203e6c6489b019400d1965b
-
SSDEEP
98304:8DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:8DqPe1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3166) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral2/memory/552-7-0x0000000010000000-0x0000000010030000-memory.dmp UPX C:\Program Files\Common Files\System\symsrv.dll UPX behavioral2/memory/3392-15-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/552-23-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/3392-33-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/3392-43-0x0000000010000000-0x0000000010030000-memory.dmp UPX behavioral2/memory/3392-49-0x0000000010000000-0x0000000010030000-memory.dmp UPX -
Modifies AppInit DLL entries 2 TTPs
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Program Files\Common Files\System\symsrv.dll acprotect -
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 552 mssecsvc.exe 3392 mssecsvc.exe 4316 tasksche.exe -
Loads dropped DLL 4 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 552 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe -
Processes:
resource yara_rule behavioral2/memory/552-7-0x0000000010000000-0x0000000010030000-memory.dmp upx C:\Program Files\Common Files\System\symsrv.dll upx behavioral2/memory/3392-15-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/552-23-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3392-33-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3392-43-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3392-49-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
mssecsvc.exedescription ioc process File opened (read-only) \??\e: mssecsvc.exe -
Drops file in System32 directory 4 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription ioc process File created C:\Program Files\Common Files\System\symsrv.dll mssecsvc.exe File created \??\c:\program files\common files\system\symsrv.dll.000 mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 8 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 552 mssecsvc.exe 552 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe 3392 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 552 mssecsvc.exe Token: SeDebugPrivilege 3392 mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4140 wrote to memory of 4720 4140 rundll32.exe rundll32.exe PID 4140 wrote to memory of 4720 4140 rundll32.exe rundll32.exe PID 4140 wrote to memory of 4720 4140 rundll32.exe rundll32.exe PID 4720 wrote to memory of 552 4720 rundll32.exe mssecsvc.exe PID 4720 wrote to memory of 552 4720 rundll32.exe mssecsvc.exe PID 4720 wrote to memory of 552 4720 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\538182cd64e9b5d8c5e4b78d990a6b75f1b56b8a2dbc1bcaa3bee7bf59e5a786.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:552 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4316
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\System\symsrv.dllFilesize
67KB
MD57574cf2c64f35161ab1292e2f532aabf
SHA114ba3fa927a06224dfe587014299e834def4644f
SHA256de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085
SHA5124db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab
-
C:\Program Files\Common Files\System\symsrv.dll.000Filesize
175B
MD51130c911bf5db4b8f7cf9b6f4b457623
SHA148e734c4bc1a8b5399bff4954e54b268bde9d54c
SHA256eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1
SHA51294e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5bc0ac3a1d5eed55f308a08ea8d52d603
SHA1e25e171c5009ed601d24b3bd57316e60c7418960
SHA256355008c92c4ebb44326349f57d3d7c4f18a1a0921c998faa74c084bc78df227c
SHA5126f48ace39e8158643c3080caeb0956ed7b229286fb52b0991fe7ed09850e354f5ff87ed0f1f4f9aa53cb7acdc5b76949a167c668decff653f77f1646984feb88
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD57f7ccaa16fb15eb1c7399d422f8363e8
SHA1bd44d0ab543bf814d93b719c24e90d8dd7111234
SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
SHA51283e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7
-
memory/552-7-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/552-23-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3392-35-0x0000000000AF0000-0x0000000000B20000-memory.dmpFilesize
192KB
-
memory/3392-40-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-25-0x0000000076875000-0x0000000076876000-memory.dmpFilesize
4KB
-
memory/3392-26-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-30-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-29-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-33-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3392-34-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-16-0x0000000000AF0000-0x0000000000B20000-memory.dmpFilesize
192KB
-
memory/3392-36-0x0000000000AF0000-0x0000000000B20000-memory.dmpFilesize
192KB
-
memory/3392-39-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-15-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3392-17-0x0000000000AF0000-0x0000000000B20000-memory.dmpFilesize
192KB
-
memory/3392-43-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3392-44-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-45-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-48-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-49-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/3392-50-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-51-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-53-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-54-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB
-
memory/3392-55-0x0000000076860000-0x00000000768C3000-memory.dmpFilesize
396KB