Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-07-2024 11:58
Static task
static1
Behavioral task
behavioral1
Sample
805b6b8559d83880b56b9678f973fc30N.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
805b6b8559d83880b56b9678f973fc30N.dll
Resource
win10v2004-20240709-en
General
-
Target
805b6b8559d83880b56b9678f973fc30N.dll
-
Size
5.0MB
-
MD5
805b6b8559d83880b56b9678f973fc30
-
SHA1
7ffbb8b15a952db197cd34508f88640aa5ab64e4
-
SHA256
86aa3b8be43d359a9e4cdedaf108e82409d204e1ef233ec22e6135c72d8cf16a
-
SHA512
83afe00fbc7f08a85f37ffc9f686dfb1ce9935c4f4a317c2e702ba1dfe78a5d35cb36deff5b6c242ce30767532d4b8592473c5a1da37d529826ed77aece8a10c
-
SSDEEP
24576:JbLgdeQhfdmMSirYbcMNgef0QeQjGdO6LLuYAMEcpc:JnjQqMSPbcBVQejdAMEc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2474) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2456 mssecsvc.exe 2840 mssecsvc.exe 2232 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exemssecsvc.exemssecsvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2340 wrote to memory of 2500 2340 rundll32.exe rundll32.exe PID 2340 wrote to memory of 2500 2340 rundll32.exe rundll32.exe PID 2340 wrote to memory of 2500 2340 rundll32.exe rundll32.exe PID 2340 wrote to memory of 2500 2340 rundll32.exe rundll32.exe PID 2340 wrote to memory of 2500 2340 rundll32.exe rundll32.exe PID 2340 wrote to memory of 2500 2340 rundll32.exe rundll32.exe PID 2340 wrote to memory of 2500 2340 rundll32.exe rundll32.exe PID 2500 wrote to memory of 2456 2500 rundll32.exe mssecsvc.exe PID 2500 wrote to memory of 2456 2500 rundll32.exe mssecsvc.exe PID 2500 wrote to memory of 2456 2500 rundll32.exe mssecsvc.exe PID 2500 wrote to memory of 2456 2500 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\805b6b8559d83880b56b9678f973fc30N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\805b6b8559d83880b56b9678f973fc30N.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2456 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2232
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58e88b36518369f4d99f2208055587adb
SHA1826283853d32159f1ac4ae530b8e1688a9f2117a
SHA25625dad67d599ee6fd4c57f110a3939d04522d708382b2b242bbb03f8b61ada7db
SHA51241c123ef772f5ed68e6af5f5da141db8562f8989496d97d089dc174b761e766bd3f4ca988deef3cace872dffd4dd8c758c48698f8cb35125b0378288642c488d
-
Filesize
3.4MB
MD5062b5845bc23ede53dafc676c2000582
SHA1be595d85cec4fd34620e50899f1ac94e010ffa90
SHA25611bbf6fd6efc4598063edb011ac6481f48e37e527371e7771cd99c082cdd0665
SHA5125e654eae06e8ed87f56f0ece2bc38cc05d1fa6a468127550aa7867a56597595cec6d23903a017dafb1e061ea41ef823b2308421757f79a8e089df414a43c51fe