Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 21:08
Static task
static1
Behavioral task
behavioral1
Sample
c694e3749f485147f314e63e1f5c2f41b59c9b27a51e14f49844dec095310363N.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c694e3749f485147f314e63e1f5c2f41b59c9b27a51e14f49844dec095310363N.dll
Resource
win10v2004-20240802-en
General
-
Target
c694e3749f485147f314e63e1f5c2f41b59c9b27a51e14f49844dec095310363N.dll
-
Size
5.0MB
-
MD5
e8611c0286f6ef0b44b86896f0af8430
-
SHA1
c68f86e8432aa960a872e1947691bb4305fbab4e
-
SHA256
c694e3749f485147f314e63e1f5c2f41b59c9b27a51e14f49844dec095310363
-
SHA512
1c19318740b833ff5cd0a774af2037aa44e68f6f36af9fb73c3f5a50e43dcaef668beb22f3b9917eb3aa7c48e347d9cbdab16b2d61ef072c5e789d2e175cd179
-
SSDEEP
12288:ywbLgPluxQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFy:JbLgdeQhfdmMSirYbcMNgef0QeQjGI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2472) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2692 mssecsvc.exe 1620 mssecsvc.exe 2924 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2156 wrote to memory of 1172 2156 rundll32.exe 30 PID 2156 wrote to memory of 1172 2156 rundll32.exe 30 PID 2156 wrote to memory of 1172 2156 rundll32.exe 30 PID 2156 wrote to memory of 1172 2156 rundll32.exe 30 PID 2156 wrote to memory of 1172 2156 rundll32.exe 30 PID 2156 wrote to memory of 1172 2156 rundll32.exe 30 PID 2156 wrote to memory of 1172 2156 rundll32.exe 30 PID 1172 wrote to memory of 2692 1172 rundll32.exe 31 PID 1172 wrote to memory of 2692 1172 rundll32.exe 31 PID 1172 wrote to memory of 2692 1172 rundll32.exe 31 PID 1172 wrote to memory of 2692 1172 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c694e3749f485147f314e63e1f5c2f41b59c9b27a51e14f49844dec095310363N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c694e3749f485147f314e63e1f5c2f41b59c9b27a51e14f49844dec095310363N.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2692 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2924
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a547ea33025174fab4d1f549045573d6
SHA1e1c3339660be0bca43a6389a21b7ff58da1faea8
SHA256fd9d4788a6d08f3a27265e24f52f3776c6e6dc278c5cb1e9105c1eabb204e477
SHA5127075cf8bdaafc8b73a957211516013f281f56564a6b3fd5ab9372288548fbfb1b5d13db19bdc99cada2c080ddee2996d1a316f3df6acb13bdaf3047b43543f70
-
Filesize
3.4MB
MD586e3f55745bd48a5f14e36079fa35c08
SHA183ca4360e19384de800dcfb8954372b63e16be0c
SHA256fa590e6e5fea75b8d5b5269b9bd16463645e46eb3d7a0504e0db8129c2083790
SHA512175d56f34fbf300c02b4ec5a61679a371502f11bfbdbef488b4d3d220c68dfa3c5b4efdc2924859525d16c8d36cbfba0d8694a351bc093ade38abb2cee9c9f6c