Analysis
-
max time kernel
150s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 02:02
Static task
static1
Behavioral task
behavioral1
Sample
ab9a8b13426052f871ad2473ca727445.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ab9a8b13426052f871ad2473ca727445.dll
Resource
win10v2004-20240508-en
General
-
Target
ab9a8b13426052f871ad2473ca727445.dll
-
Size
5.0MB
-
MD5
ab9a8b13426052f871ad2473ca727445
-
SHA1
402bad956a2c54c8f4b32d255df723fc9f297089
-
SHA256
eeb4d095615c2faa4a25c9d3ddd7e056c0f1a596917f48d4351e0fed2040685c
-
SHA512
6ab7ae1803632b5e348614a71b58c240274da09192ece086108b70f340ce4afa4dd2836e8749e10e87def27da6928949a07ded505fc1ffa21e976f72b50b95c6
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhnvx:+DqPoBhz1aRxcSUZk36SAEdhvx
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2675) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4288 mssecsvc.exe 3732 mssecsvc.exe 2804 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3148 wrote to memory of 4752 3148 rundll32.exe rundll32.exe PID 3148 wrote to memory of 4752 3148 rundll32.exe rundll32.exe PID 3148 wrote to memory of 4752 3148 rundll32.exe rundll32.exe PID 4752 wrote to memory of 4288 4752 rundll32.exe mssecsvc.exe PID 4752 wrote to memory of 4288 4752 rundll32.exe mssecsvc.exe PID 4752 wrote to memory of 4288 4752 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab9a8b13426052f871ad2473ca727445.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab9a8b13426052f871ad2473ca727445.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4288 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2804
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD576c9ea6eb26472d7c6adae1de0da9627
SHA1994583dfc53576fbaedba77baa71b123b0540cea
SHA25693cc8628417711f799d8239284c81d5589453afe196b87079c8ddb24b8e6a6d3
SHA51218a3fee23d1b3d10ff841eee1ea5bdf39f84a2c85e7fb1bb97bc47efbba547d2928b1fa3ce832d5fec291572e82d6b7e74b2b2a862b2fbc1fd051afda4d2de45
-
Filesize
3.4MB
MD5d9ab07fdbd01e1673d4732789453ba5e
SHA18586e13eb3cc100621e313e095eb866d599e16dd
SHA256619777a0df4d2d6dffaeb1355391d9cf89b4a52addaf23d2f2f9961ea9dcbed6
SHA512c80850f612abbb8e3085f1cef55ba38b874a3f80ae24d168e515b41b64d90ce6696023bfa2298f5aad1da8f0777e4d046afc7d0100cd1dfd29a4fe44283e3393