Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/01/2025, 02:47
Static task
static1
Behavioral task
behavioral1
Sample
5b7edc95ab8033817fb07fee8e8f114be7f1873abcd69d07899ac60ae9b9763a.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
5b7edc95ab8033817fb07fee8e8f114be7f1873abcd69d07899ac60ae9b9763a.dll
Resource
win10v2004-20241007-en
General
-
Target
5b7edc95ab8033817fb07fee8e8f114be7f1873abcd69d07899ac60ae9b9763a.dll
-
Size
5.0MB
-
MD5
99fbd88dafad2ed4a82cc80f8b8eb8d4
-
SHA1
e2023fcc0a9991c84fa24ea4f3285305514c52cb
-
SHA256
5b7edc95ab8033817fb07fee8e8f114be7f1873abcd69d07899ac60ae9b9763a
-
SHA512
a012ac91f0475943cdfecf882e96e940cb445e7466d3a4e9d8737412b265b54d941a5a9798754e2942ef1c6b17deac56d351206f7cd8808560ccae30b554be8b
-
SSDEEP
49152:JnAQqMSPbcBVQej/1INRx+TSqTg6SAARdhH9PAMEcaEau3:dDqPoBhz1aRxcSUg6SAEdt9P593
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Contacts a large (3358) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1696 mssecsvc.exe 4028 mssecsvc.exe 3636 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2480 wrote to memory of 1956 2480 rundll32.exe 83 PID 2480 wrote to memory of 1956 2480 rundll32.exe 83 PID 2480 wrote to memory of 1956 2480 rundll32.exe 83 PID 1956 wrote to memory of 1696 1956 rundll32.exe 84 PID 1956 wrote to memory of 1696 1956 rundll32.exe 84 PID 1956 wrote to memory of 1696 1956 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b7edc95ab8033817fb07fee8e8f114be7f1873abcd69d07899ac60ae9b9763a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b7edc95ab8033817fb07fee8e8f114be7f1873abcd69d07899ac60ae9b9763a.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1696 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3636
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58ed7f2e1aae7a4371aa929a5eb6a6e59
SHA1b7527fb2d0e20fff576e747883b442aba1984dbc
SHA2562b2f4b29a1cee09d68d765422f86812aae50e9b92b39cff3cfe1c57b3d34d279
SHA5122257bc07bfa2e96483fc9823accc1c2eba6a7bb78df4bee58c6db7ef06097deaa6d7a6735b6a897ea9166721434c423854b96ddf61f369f92b88ff9c755530e3
-
Filesize
3.4MB
MD5171e35fe5fd37ca850d3d1234d94e194
SHA106c040762d84de3a9ef76bc9e867598568cac28a
SHA25617528e634c992a0b607fa14c088983183282bfa90d470e1ae95bff4763efd866
SHA512b50d220a39213ebc9f27baf7d25ff6fec06f608bdd5794da8b600351b69b4c9c18cd2c151edde389b55ff3b95164247e63d763aa08b6b91ebc816dbd4858cf26