Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2024 22:30
Static task
static1
Behavioral task
behavioral1
Sample
776d09b9e3e33116ca669bc2bd94c9bca54419ae558784c2854ab9c97cb9f81f.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
776d09b9e3e33116ca669bc2bd94c9bca54419ae558784c2854ab9c97cb9f81f.dll
Resource
win10v2004-20240802-en
General
-
Target
776d09b9e3e33116ca669bc2bd94c9bca54419ae558784c2854ab9c97cb9f81f.dll
-
Size
5.0MB
-
MD5
ee6b0c24c8a5b69cc334f17e18e9f000
-
SHA1
3cd45add02a9e62c82cd04a4c32bcf3d21c0a9c9
-
SHA256
776d09b9e3e33116ca669bc2bd94c9bca54419ae558784c2854ab9c97cb9f81f
-
SHA512
de3f39829c661466bd8d4d4976c0b9e8733256af6b9841b87c200d370d29d613ab9cb2b251cfad527ae1654b2e48febc19c9d24527c3fed54bebda088a76a9f3
-
SSDEEP
49152:SnAQqMSPbcBVQej/3Qo6SAARdhnvxJM0H9PAMEc:+DqPoBhz336SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3216) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2816 mssecsvc.exe 724 mssecsvc.exe 2756 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3036 wrote to memory of 712 3036 rundll32.exe 82 PID 3036 wrote to memory of 712 3036 rundll32.exe 82 PID 3036 wrote to memory of 712 3036 rundll32.exe 82 PID 712 wrote to memory of 2816 712 rundll32.exe 83 PID 712 wrote to memory of 2816 712 rundll32.exe 83 PID 712 wrote to memory of 2816 712 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\776d09b9e3e33116ca669bc2bd94c9bca54419ae558784c2854ab9c97cb9f81f.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\776d09b9e3e33116ca669bc2bd94c9bca54419ae558784c2854ab9c97cb9f81f.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:712 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2816 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2756
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ebc0e063d09aa95628b7f9b5de4c0388
SHA159e0b511580fd85d7deaa58749112b54b339ba52
SHA2561415fded946da3da09a67ec55a1daf159ae64884549d8831a830578615b1cb42
SHA5128b6b235d16e70551863b8b58a04214a902f83ced1b6ce5de94960941acc2504efbf17ec1755bb95dfa23677788d6893248580faed44fff9b9c725e24a39e6932
-
Filesize
3.4MB
MD5749017d21be7b85e2f5fe11737f5b278
SHA1b40748f7e80fe8e2dc5e9f6bae14002e7e5fa673
SHA256f85cc112ef10226ccbd056e0e39c1b33ed3a7d6f94534ac05559c3ee34a82adb
SHA512e0f4fd913f3fdeb37ccc5b79b745fccef4ce50aed5dea625c542ebc6ab93f5689329224ad6c494ee4611ce609fdb800459a1a58d325dfbaef948bb1a35722a6b