Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72.dll
Resource
win10v2004-20241007-en
General
-
Target
a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72.dll
-
Size
5.0MB
-
MD5
aa62c5bae918f4d52c52a32fbc27f0a9
-
SHA1
3c337bfc1f06bd236a2a19b583d09980f4af076a
-
SHA256
a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72
-
SHA512
50863f4a5047492bb7b271beee9a4b499d6d33c26f696caa207025c42a39f701db244bf4c17cb9c428b766a6db0c063ae62d2af3058119b6a7ab92940c204b03
-
SSDEEP
98304:TDqPoBhz1aRxcSUDkn6SAEdhvxWa9P593R8yAVp2H:TDqPe1CxcxknZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3172) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1888 mssecsvc.exe 2324 mssecsvc.exe 3776 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3872 wrote to memory of 3796 3872 rundll32.exe 83 PID 3872 wrote to memory of 3796 3872 rundll32.exe 83 PID 3872 wrote to memory of 3796 3872 rundll32.exe 83 PID 3796 wrote to memory of 1888 3796 rundll32.exe 85 PID 3796 wrote to memory of 1888 3796 rundll32.exe 85 PID 3796 wrote to memory of 1888 3796 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a56e5450cf34d7491bebf4c8232e8f6a5f46a3bab293129cc24c843369102c72.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1888 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3776
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a1f604a8258ca8df0d4466fdc6b71ded
SHA14ee04369b4bef78d37adfec37e01227bc2766572
SHA2568cee9ce56f1a958d285d34c03cd47e1b3fa15b27dd142994f992e7b837981500
SHA51243b00f08a21bc7bf074d839ad1c07aa2cdc16c08a4f9557e9dc70bafe97bd5dc52d88f9902b3fc3b6c2c7cefcaf610f860e9e23bd833e6ab8098e400b8d62162
-
Filesize
3.4MB
MD5be9858384a5352c00667fccbab091bc2
SHA12ffdef1cd77c680cd6b38390e29a8d1044cc51c0
SHA256181ed2fbf4f2ed4fb186faf5d15b05e342e8f24ba5d9b7cbde786a1e70b0ca27
SHA512ff520c4587fb44e34e92dc437c6221ce421c178e76a5f9a52826e8dd289e372d3b8ca778160efa35ebd104b32d5ce2467f549edf75aa28293fa0c736bcbec5ad