Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
02-07-2024 20:38
Static task
static1
Behavioral task
behavioral1
Sample
fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944.dll
Resource
win10v2004-20240611-en
General
-
Target
fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944.dll
-
Size
5.0MB
-
MD5
5818d137c6c7324aa05a01c8c3cfe9d9
-
SHA1
58a75425a9e7331de5f9d62d74d5ab063df90996
-
SHA256
fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944
-
SHA512
8caf9bf9c3e9225be105814d9a41a10f4a680962e260507a46f4cd9f4d4a610f79ee62c80e019c3b6d2a367e9383e2ddb902ec33568aa625270e053689f44370
-
SSDEEP
98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2P:d8qPe1Cxcxk3ZAEUadzR8yc4P
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3208) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2992 mssecsvc.exe 1732 mssecsvc.exe 1928 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2352 wrote to memory of 2980 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2980 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2980 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2980 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2980 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2980 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2980 2352 rundll32.exe rundll32.exe PID 2980 wrote to memory of 2992 2980 rundll32.exe mssecsvc.exe PID 2980 wrote to memory of 2992 2980 rundll32.exe mssecsvc.exe PID 2980 wrote to memory of 2992 2980 rundll32.exe mssecsvc.exe PID 2980 wrote to memory of 2992 2980 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fa40bdbdd5305d4fab585b65633e7c27b36ef79ccf51983f8e41ac3573ebf944.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2992 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1928
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52ccb64920bb12c6e0c2c615eeff3e45b
SHA14ce549d9647cad21e770846802dfd26c822ee0e9
SHA256e06694e7c6d670ecc8522fc1d05864cdf717da848c853993a091cf90b53e051b
SHA512d95ab9128915a088f8efd15743714fac4ac7928deb0f7fa25bb0bd44133ac65e3371ced697a69463aed897b4a7b830fd6561c869613923fe02ea2eebcef38a87
-
Filesize
3.4MB
MD5fc9c1d282075ad5f323a527d191b66f0
SHA1f6b1c944d90d736229567f702be1b640f101bcd7
SHA2560ddef7acfdff6f07d415548ac0ebd022534f8ad725e94acec4b3f1660bc66ab4
SHA51269d4ccefd8edf27add09c691388849f54a70abefb62825d3f5d507448bb6f55e985848297ec2fcbdca755ff3e142aa0eea9f60a25e48aec03f77e04ecefac1e2