Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 11:01
Static task
static1
Behavioral task
behavioral1
Sample
3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll
Resource
win10v2004-20240709-en
General
-
Target
3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll
-
Size
5.0MB
-
MD5
3c63f9be8f7752de7f002ed0c3bdfddf
-
SHA1
7a0c5379a5e6ed41a8240e7f0e2005b1cd58d500
-
SHA256
3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c
-
SHA512
9b0ad7f482f709811a6febae0ce4f22baf2e6151f5684e072805affea866a874b8759823d6abcddcc9aa322fe3b5363aa6e1bf9da39052fe56a7105a79a1c782
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3247) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2672 mssecsvc.exe 3028 mssecsvc.exe 2604 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B4C311BB-3916-4493-A14A-97C9F7E1EC63}\WpadDecisionTime = 00aa5f545ddbda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0085000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-73-39-d2-d6-d3\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B4C311BB-3916-4493-A14A-97C9F7E1EC63}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-73-39-d2-d6-d3\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B4C311BB-3916-4493-A14A-97C9F7E1EC63} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B4C311BB-3916-4493-A14A-97C9F7E1EC63}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B4C311BB-3916-4493-A14A-97C9F7E1EC63}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-73-39-d2-d6-d3 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B4C311BB-3916-4493-A14A-97C9F7E1EC63}\8a-73-39-d2-d6-d3 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-73-39-d2-d6-d3\WpadDecisionTime = 00aa5f545ddbda01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2796 wrote to memory of 2936 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2936 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2936 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2936 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2936 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2936 2796 rundll32.exe rundll32.exe PID 2796 wrote to memory of 2936 2796 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2672 2936 rundll32.exe mssecsvc.exe PID 2936 wrote to memory of 2672 2936 rundll32.exe mssecsvc.exe PID 2936 wrote to memory of 2672 2936 rundll32.exe mssecsvc.exe PID 2936 wrote to memory of 2672 2936 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2672 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2604
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5441bbb7bed0a43129bf8bcf99fc64889
SHA120d871c1938f16036b79cb7eee8c747d4e3c47f9
SHA256ad251857262c02bae7c4836172ba77af86a46b6d2442c9f158fcbb1226d9099c
SHA5127d0008428f7d0af720e6c0672126178d54a0533c3c94b5a4649daffe3e8c8858704f08508c1f4cd58fcd19db3b33daa4bed8d216c8aaf51e5c4bd2f598217c05
-
Filesize
3.4MB
MD534de8be969a83865dd37c378b7cea60d
SHA1d3c07ba3907737c05af16ec1e1fbdb19e32680f8
SHA2568184218abffccce34002ef7abca6ead0d717ec967870cd8e60304d00a5b4a999
SHA5123a091f12c4feb491208d762a87d1351e3941d8d15934f067576e64a91f27aa006eae01ca00cce795652b07b909dd9f7f69fbb5a39c46db6222393bb4cc46077c