Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
24-07-2024 11:58
Static task
static1
Behavioral task
behavioral1
Sample
805b6b8559d83880b56b9678f973fc30N.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
805b6b8559d83880b56b9678f973fc30N.dll
Resource
win10v2004-20240709-en
General
-
Target
805b6b8559d83880b56b9678f973fc30N.dll
-
Size
5.0MB
-
MD5
805b6b8559d83880b56b9678f973fc30
-
SHA1
7ffbb8b15a952db197cd34508f88640aa5ab64e4
-
SHA256
86aa3b8be43d359a9e4cdedaf108e82409d204e1ef233ec22e6135c72d8cf16a
-
SHA512
83afe00fbc7f08a85f37ffc9f686dfb1ce9935c4f4a317c2e702ba1dfe78a5d35cb36deff5b6c242ce30767532d4b8592473c5a1da37d529826ed77aece8a10c
-
SSDEEP
24576:JbLgdeQhfdmMSirYbcMNgef0QeQjGdO6LLuYAMEcpc:JnjQqMSPbcBVQejdAMEc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2474) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1804 mssecsvc.exe 4400 mssecsvc.exe 4944 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exemssecsvc.exemssecsvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2124 wrote to memory of 904 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 904 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 904 2124 rundll32.exe rundll32.exe PID 904 wrote to memory of 1804 904 rundll32.exe mssecsvc.exe PID 904 wrote to memory of 1804 904 rundll32.exe mssecsvc.exe PID 904 wrote to memory of 1804 904 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\805b6b8559d83880b56b9678f973fc30N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\805b6b8559d83880b56b9678f973fc30N.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1804 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4944
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58e88b36518369f4d99f2208055587adb
SHA1826283853d32159f1ac4ae530b8e1688a9f2117a
SHA25625dad67d599ee6fd4c57f110a3939d04522d708382b2b242bbb03f8b61ada7db
SHA51241c123ef772f5ed68e6af5f5da141db8562f8989496d97d089dc174b761e766bd3f4ca988deef3cace872dffd4dd8c758c48698f8cb35125b0378288642c488d
-
Filesize
3.4MB
MD5062b5845bc23ede53dafc676c2000582
SHA1be595d85cec4fd34620e50899f1ac94e010ffa90
SHA25611bbf6fd6efc4598063edb011ac6481f48e37e527371e7771cd99c082cdd0665
SHA5125e654eae06e8ed87f56f0ece2bc38cc05d1fa6a468127550aa7867a56597595cec6d23903a017dafb1e061ea41ef823b2308421757f79a8e089df414a43c51fe