Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 15:32
Static task
static1
Behavioral task
behavioral1
Sample
3b35adf078a6301cd46a48a0084ee4c0d3637a9a2813522966f6a25741e44e7a.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3b35adf078a6301cd46a48a0084ee4c0d3637a9a2813522966f6a25741e44e7a.dll
Resource
win10v2004-20240709-en
General
-
Target
3b35adf078a6301cd46a48a0084ee4c0d3637a9a2813522966f6a25741e44e7a.dll
-
Size
5.0MB
-
MD5
b2a474da5eb5dae63a1f6768d0a4e7fe
-
SHA1
72e158160ce94775627c18539e291ce22b5f0c61
-
SHA256
3b35adf078a6301cd46a48a0084ee4c0d3637a9a2813522966f6a25741e44e7a
-
SHA512
c85970e8c2170c9fafc38d0e8fd51060de7fd1c0ca84fea325c900d9d0d556169133f9d65627276c427105de8153692382732348783272a5daf7ede23be3c156
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAH:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3224) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2124 mssecsvc.exe 2984 mssecsvc.exe 2884 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4125397-A7F8-4282-9D89-31BAAAA5C6B3} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4125397-A7F8-4282-9D89-31BAAAA5C6B3}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-76-77-7f-33-5b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4125397-A7F8-4282-9D89-31BAAAA5C6B3}\ae-76-77-7f-33-5b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4125397-A7F8-4282-9D89-31BAAAA5C6B3}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4125397-A7F8-4282-9D89-31BAAAA5C6B3}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-76-77-7f-33-5b\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4125397-A7F8-4282-9D89-31BAAAA5C6B3}\WpadDecisionTime = 5055d22e83dbda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-76-77-7f-33-5b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-76-77-7f-33-5b\WpadDecisionTime = 5055d22e83dbda01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2576 wrote to memory of 1072 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 1072 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 1072 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 1072 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 1072 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 1072 2576 rundll32.exe rundll32.exe PID 2576 wrote to memory of 1072 2576 rundll32.exe rundll32.exe PID 1072 wrote to memory of 2124 1072 rundll32.exe mssecsvc.exe PID 1072 wrote to memory of 2124 1072 rundll32.exe mssecsvc.exe PID 1072 wrote to memory of 2124 1072 rundll32.exe mssecsvc.exe PID 1072 wrote to memory of 2124 1072 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b35adf078a6301cd46a48a0084ee4c0d3637a9a2813522966f6a25741e44e7a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3b35adf078a6301cd46a48a0084ee4c0d3637a9a2813522966f6a25741e44e7a.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2124 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2884
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD590ec2e781608aac41e53b13d44634e8a
SHA10eda5b8f1ab5d0c0c2ff3c890b3f18ed8683e7c1
SHA2565850c5a1341a9ef3fc173ed5e6314d4407a34971092b2e311c5bd571d8eb37c4
SHA512e2206de7c8a50dc692e6eaa49b96d07f3d6ac05503c0e155a46f8c72f48140abca4b68d8c56ae083dc2db96574e4e486c81f4c7aa94a5339b8a7176665ba681f
-
Filesize
3.4MB
MD5d644d8eb2cdba655b7b24706b9637838
SHA17f3c8f4aab41bb8770839286af0faeb8d1d7dadc
SHA25612a6999da87e715dc425ce9c334414446dd8fca27a8c07b8a7449b1f67c16b6b
SHA512bef359aef93b1e76a2db053dbeee05965e43dcd5bbfd94157aea820d7fc1ce72687fe0ad11a958daf8e7aead4f4ae20f93e732765dc8e7335c395c660961002f