Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 00:40
Static task
static1
Behavioral task
behavioral1
Sample
a903d75b894efefc834cff35afc6d429fa3929a2ef8b801889a906cb3d210139.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a903d75b894efefc834cff35afc6d429fa3929a2ef8b801889a906cb3d210139.dll
Resource
win10v2004-20240802-en
General
-
Target
a903d75b894efefc834cff35afc6d429fa3929a2ef8b801889a906cb3d210139.dll
-
Size
5.0MB
-
MD5
43295328bbda9562e1f06bf87f75c0e3
-
SHA1
93f34f8dcdf8029f71bc2882055fbd8e9355abe7
-
SHA256
a903d75b894efefc834cff35afc6d429fa3929a2ef8b801889a906cb3d210139
-
SHA512
9f61e5403b0b05bcd7d615fb0fc0d56c1c28df464e2babf814878d862c973ff5be70cb6f853c27a837e3974f7be9589b570285adbf245046f3407608e70b64e7
-
SSDEEP
24576:RbLgdeQhfVZMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6627X6SASk+RdhAdmv:RnjQ1MSPbcBVQej/1INRp6SAARdhnv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
pid Process 2000 mssecsvr.exe 2820 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 556 wrote to memory of 3476 556 rundll32.exe 83 PID 556 wrote to memory of 3476 556 rundll32.exe 83 PID 556 wrote to memory of 3476 556 rundll32.exe 83 PID 3476 wrote to memory of 2000 3476 rundll32.exe 86 PID 3476 wrote to memory of 2000 3476 rundll32.exe 86 PID 3476 wrote to memory of 2000 3476 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a903d75b894efefc834cff35afc6d429fa3929a2ef8b801889a906cb3d210139.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a903d75b894efefc834cff35afc6d429fa3929a2ef8b801889a906cb3d210139.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3476 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2000
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD593f898f65882dc83803e0e5c9fd73103
SHA1ddff5059e398cc8d509e72909bdf2e4356ae2ee8
SHA25666ae968526be97cbafd7c37a0ef3cb92f15a6e6b285d98629602a79d1d5f5fc2
SHA51247b70ed73ab295f30d099adaf6b2a795012205e6bb6dc5888b1b39fbfe3ca3b6882dddab6580bea738ae37aa7dce0d8cffd09948bdea32e9b9fd699b63a79617