Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 06:34
Static task
static1
Behavioral task
behavioral1
Sample
9e714d4d43e214c28c4ad49877d849e37ac06ed3095d32ff682cbde7c15c4e9eN.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9e714d4d43e214c28c4ad49877d849e37ac06ed3095d32ff682cbde7c15c4e9eN.dll
Resource
win10v2004-20240802-en
General
-
Target
9e714d4d43e214c28c4ad49877d849e37ac06ed3095d32ff682cbde7c15c4e9eN.dll
-
Size
5.0MB
-
MD5
e979124c81143e8fb75bd63e7b07df00
-
SHA1
54c94581e0d1c0d082a10c3d6169ebec7155efea
-
SHA256
9e714d4d43e214c28c4ad49877d849e37ac06ed3095d32ff682cbde7c15c4e9e
-
SHA512
40342b1f80e542f490ec42f4face1ebff2c2e1c94aac55f939c2b07026e5947f343487e05ea0bbc68d1d420a3a7f0b14e767b308272fb341af4e9040d06cbf93
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0Q4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVQyAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2493) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1692 mssecsvc.exe 972 mssecsvc.exe 2796 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\WpadDecisionTime = 10844002150fdb01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\26-a6-f7-50-57-44 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a6-f7-50-57-44\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a6-f7-50-57-44\WpadDecisionTime = 10844002150fdb01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA1A2C4-E34F-44C9-AA53-274E25C11588}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a6-f7-50-57-44 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a6-f7-50-57-44\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 276 wrote to memory of 2520 276 rundll32.exe 31 PID 276 wrote to memory of 2520 276 rundll32.exe 31 PID 276 wrote to memory of 2520 276 rundll32.exe 31 PID 276 wrote to memory of 2520 276 rundll32.exe 31 PID 276 wrote to memory of 2520 276 rundll32.exe 31 PID 276 wrote to memory of 2520 276 rundll32.exe 31 PID 276 wrote to memory of 2520 276 rundll32.exe 31 PID 2520 wrote to memory of 1692 2520 rundll32.exe 32 PID 2520 wrote to memory of 1692 2520 rundll32.exe 32 PID 2520 wrote to memory of 1692 2520 rundll32.exe 32 PID 2520 wrote to memory of 1692 2520 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e714d4d43e214c28c4ad49877d849e37ac06ed3095d32ff682cbde7c15c4e9eN.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9e714d4d43e214c28c4ad49877d849e37ac06ed3095d32ff682cbde7c15c4e9eN.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1692 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2796
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56fa3a464bd9df87c164a7650619634ba
SHA10c363ba86938102fbb55f8f0f1f2ad8a1953cc5a
SHA2564049d0b5d878855fabc4338cf8f6b8a5f7604d249c970df5b4552186601f1f5d
SHA512379512b5ceb023b78730fd3f8245413d990e4472861d8910a08baf73e291988fbb15f5d3135ba291f81b263d41cb6c0543b14c124967d4a6fc3ce2b0365f74ec
-
Filesize
3.4MB
MD5a1660f6e4fe9388cbb251ca4d6b352e6
SHA1db0686ae7886b54983fc86f876b015c59deaa0b3
SHA2567902974c078579c6e8d28694cc6026854d53fedfdc34dac83b443089529eea4c
SHA5126c432cf003dd1d04897a610f38c6b20f4acf212378803becf70dc0c3ad3197424d5fd7e17f81eeb7941f35a3e3207f3daccd13371f8d715a6277e5343471854b