Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 11:01
Static task
static1
Behavioral task
behavioral1
Sample
3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll
Resource
win10v2004-20240709-en
General
-
Target
3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll
-
Size
5.0MB
-
MD5
3c63f9be8f7752de7f002ed0c3bdfddf
-
SHA1
7a0c5379a5e6ed41a8240e7f0e2005b1cd58d500
-
SHA256
3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c
-
SHA512
9b0ad7f482f709811a6febae0ce4f22baf2e6151f5684e072805affea866a874b8759823d6abcddcc9aa322fe3b5363aa6e1bf9da39052fe56a7105a79a1c782
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3161) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3400 mssecsvc.exe 3568 mssecsvc.exe 4052 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4372 wrote to memory of 4180 4372 rundll32.exe rundll32.exe PID 4372 wrote to memory of 4180 4372 rundll32.exe rundll32.exe PID 4372 wrote to memory of 4180 4372 rundll32.exe rundll32.exe PID 4180 wrote to memory of 3400 4180 rundll32.exe mssecsvc.exe PID 4180 wrote to memory of 3400 4180 rundll32.exe mssecsvc.exe PID 4180 wrote to memory of 3400 4180 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c6433fe316f20bdba715677dfe8205e57a3c166b41712251f21f6d12287a16c.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3400 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4052
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5441bbb7bed0a43129bf8bcf99fc64889
SHA120d871c1938f16036b79cb7eee8c747d4e3c47f9
SHA256ad251857262c02bae7c4836172ba77af86a46b6d2442c9f158fcbb1226d9099c
SHA5127d0008428f7d0af720e6c0672126178d54a0533c3c94b5a4649daffe3e8c8858704f08508c1f4cd58fcd19db3b33daa4bed8d216c8aaf51e5c4bd2f598217c05
-
Filesize
3.4MB
MD534de8be969a83865dd37c378b7cea60d
SHA1d3c07ba3907737c05af16ec1e1fbdb19e32680f8
SHA2568184218abffccce34002ef7abca6ead0d717ec967870cd8e60304d00a5b4a999
SHA5123a091f12c4feb491208d762a87d1351e3941d8d15934f067576e64a91f27aa006eae01ca00cce795652b07b909dd9f7f69fbb5a39c46db6222393bb4cc46077c