Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 08:02
Static task
static1
Behavioral task
behavioral1
Sample
dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4.dll
Resource
win10v2004-20240709-en
General
-
Target
dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4.dll
-
Size
5.0MB
-
MD5
cbbb91e7466659503caa21c703befb5e
-
SHA1
ccdef0353fcfd042c9c29db018e2e1f74887b2aa
-
SHA256
dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4
-
SHA512
c810a580e927d93131623130823c1a807aa62717a61e36860a71b932d8708c497505e39a2b88b5420a9031af5d633ec4abf1b8e0fe39f5ad8f02225a409622ff
-
SSDEEP
98304:afPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVb:afPe1Cxcxk3ZAEUadzR8ycb
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3147) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 1164 mssecsvr.exe 3364 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 4 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2276 wrote to memory of 4960 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 4960 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 4960 2276 rundll32.exe rundll32.exe PID 4960 wrote to memory of 1164 4960 rundll32.exe mssecsvr.exe PID 4960 wrote to memory of 1164 4960 rundll32.exe mssecsvr.exe PID 4960 wrote to memory of 1164 4960 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dbab3402b2b9768ef8d47c71bc465f9508a3c9a1e3a55439edf9a04992d8d5d4.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1164
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD596e3c461420847b9db7e36187e0295b2
SHA1ba254594bc52a9742568de2247024afdcdbf7cd2
SHA2565ac63698228d139f0cc021450d71515546ad2906d2deb58016a6fc6309542b8b
SHA5120f7753ae2a06e8986f55a08bbe29ef44ba2fba2ac627ce995cbb90cb1f6f9e1725e7aba779eb5a10f06d2160a8876d009f754bd2f59b3da56456760a001ed3f0