Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 19:16
Static task
static1
Behavioral task
behavioral1
Sample
8623833369df77caf48fea8fbb02991288ec704408a6b2ab8f080e50c073bde3.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
8623833369df77caf48fea8fbb02991288ec704408a6b2ab8f080e50c073bde3.dll
Resource
win10v2004-20240611-en
General
-
Target
8623833369df77caf48fea8fbb02991288ec704408a6b2ab8f080e50c073bde3.dll
-
Size
5.0MB
-
MD5
ee5f76b5cc4312095074df3967b13617
-
SHA1
254d83a07c6171e926d624080d60c0715fb19f13
-
SHA256
8623833369df77caf48fea8fbb02991288ec704408a6b2ab8f080e50c073bde3
-
SHA512
2f9e0aeb58827a6564efc495e4e195a930c75e7892761346094af58a7250789bc55e80e88be73a80f60b4a403671eadbd9e98c5c88325a73d813e6102bef5fa4
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:TDqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3318) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1664 mssecsvc.exe 2972 mssecsvc.exe 2668 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-87-f1-8e-c4-b7 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-87-f1-8e-c4-b7\WpadDecisionTime = a0a8c552b4ccda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-87-f1-8e-c4-b7\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5795B581-5DB6-4FFF-AC52-E33B4B68711D}\WpadDecisionTime = a0a8c552b4ccda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5795B581-5DB6-4FFF-AC52-E33B4B68711D}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0064000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5795B581-5DB6-4FFF-AC52-E33B4B68711D}\62-87-f1-8e-c4-b7 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5795B581-5DB6-4FFF-AC52-E33B4B68711D}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5795B581-5DB6-4FFF-AC52-E33B4B68711D}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-87-f1-8e-c4-b7\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5795B581-5DB6-4FFF-AC52-E33B4B68711D} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2736 wrote to memory of 2236 2736 rundll32.exe rundll32.exe PID 2736 wrote to memory of 2236 2736 rundll32.exe rundll32.exe PID 2736 wrote to memory of 2236 2736 rundll32.exe rundll32.exe PID 2736 wrote to memory of 2236 2736 rundll32.exe rundll32.exe PID 2736 wrote to memory of 2236 2736 rundll32.exe rundll32.exe PID 2736 wrote to memory of 2236 2736 rundll32.exe rundll32.exe PID 2736 wrote to memory of 2236 2736 rundll32.exe rundll32.exe PID 2236 wrote to memory of 1664 2236 rundll32.exe mssecsvc.exe PID 2236 wrote to memory of 1664 2236 rundll32.exe mssecsvc.exe PID 2236 wrote to memory of 1664 2236 rundll32.exe mssecsvc.exe PID 2236 wrote to memory of 1664 2236 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8623833369df77caf48fea8fbb02991288ec704408a6b2ab8f080e50c073bde3.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8623833369df77caf48fea8fbb02991288ec704408a6b2ab8f080e50c073bde3.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1664 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2668
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD59890c9dbf8c659fa98130bba6c38683f
SHA142ae2ad8a47176f67f71f4b69552e37401a62d38
SHA256860069ce5390b85cfff852295d2113ea0d052003f8c769c20184962aae6b37d6
SHA512b5a196a8a9b25f57bc075ed117dbfe991f3cd7fff33f598cee5e1109caf749431221098098127fb2e0bdf8c820ccf236fe1a863c8f33c12dc7c055b33eca2d60
-
Filesize
3.4MB
MD5dbcd133912ef8b511909bceafe6eb16d
SHA1cdeb4dc71a6287ad3dc42de4ecd5cd160eae3ea2
SHA2565265873b0641f1875701a126fcf56d45d1f4a91de77ee4e1ca5507a5062c362a
SHA5121a5d5c78de9609bf60b62ab595dc4e1cd90ad9f3582b45052c1837578d10d86ab533340a3251db143ea19a8a157329bdd622a1ac88e3416883eab3b15a05a8cf