Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 14:43
Static task
static1
Behavioral task
behavioral1
Sample
775930a062cfe16caf9a56513d142262.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
775930a062cfe16caf9a56513d142262.dll
Resource
win10v2004-20241007-en
General
-
Target
775930a062cfe16caf9a56513d142262.dll
-
Size
5.0MB
-
MD5
775930a062cfe16caf9a56513d142262
-
SHA1
ebc7f59387f5b121795b3c3bc37bc77c566baf7b
-
SHA256
c5eeafb62d5b0fce524e12ad5a94f7e221636dc1bfc8622c8d7e0e61bc0950f8
-
SHA512
7b5a61545b21ea5f477d86df7af8d53951011f3b062db09a5defb053716bb2bb619c53b5111ddcadba5047029fb41da2cdf3d95ab49466ed33428f372fe98f48
-
SSDEEP
49152:RnnMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhHE:1nPoBhz1aRxcSUDk36SAEdhk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3236) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
pid Process 4100 mssecsvr.exe 2688 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4776 wrote to memory of 4544 4776 rundll32.exe 84 PID 4776 wrote to memory of 4544 4776 rundll32.exe 84 PID 4776 wrote to memory of 4544 4776 rundll32.exe 84 PID 4544 wrote to memory of 4100 4544 rundll32.exe 85 PID 4544 wrote to memory of 4100 4544 rundll32.exe 85 PID 4544 wrote to memory of 4100 4544 rundll32.exe 85
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\775930a062cfe16caf9a56513d142262.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\775930a062cfe16caf9a56513d142262.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4100
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5e916117384c8250971067d18f2734f8b
SHA149515862ad32a93804f787671a4eff3d0ebf6fc8
SHA25609e05a106716c7a1994bc60185129c57a865f378468dfd223e424b51de1fcbe9
SHA512b6e887f017086f2a578a2e82d37749632aa6e11c1c95650d818b3d381aa53be24eceab0358b8e64760df2ec17bfa3647db64b1bf50e7b69da14641c3d3bd8ca3