wannacry | 55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3

Resubmissions

03/02/2024, 16:18

240203-tsdj7sffem 10

03/02/2024, 16:16

240203-tq495sffcp 10

02/02/2024, 12:22

240202-pkafcsfgbj 10

Analysis

max time kernel
212s
max time network
212s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
03/02/2024, 16:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Win32.Wannacry.dll
Size

5.0MB
MD5

30fe2f9a048d7a734c8d9233f64810ba
SHA1

2027a053de21bd5c783c3f823ed1d36966780ed4
SHA256

55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3
SHA512

b657b02506f768db3255293b0c86452b4dfdd30804629c323aaa9510a3b637b0906e5963179ef7d4aaedc14646f2be2b4292e6584a6c55c6ddb596cff7f20e2a
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (4820) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1072	mssecsvc.exe
5112	mssecsvc.exe
2116	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 1660	1844	rundll32.exe	73
PID 1844 wrote to memory of 1660	1844	rundll32.exe	73
PID 1844 wrote to memory of 1660	1844	rundll32.exe	73
PID 1660 wrote to memory of 1072	1660	rundll32.exe	74
PID 1660 wrote to memory of 1072	1660	rundll32.exe	74
PID 1660 wrote to memory of 1072	1660	rundll32.exe	74

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Win32.Wannacry.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Win32.Wannacry.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1072
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2116

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
443KB

MD5
318cc2f18d18688e8a48c90fdedb1430

SHA1
a5e6adb0fa136c28708912a2c32ea6e7aad0c12e

SHA256
9c7bc405f4a3b3cebf69ed16dcfc026435edf79a7bae9d29b6ba7cc2ef88be1c

SHA512
e001729e39c375e58e55650581912f8add240ec01e8ec8852f5a0f89025ba278359bc5e4b1c32fe5650dda3a0643af8afadcf9f8286f281051cd8cf6eb07dfac

Download Submit
C:\Windows\mssecsvc.exe

Filesize
576KB

MD5
eada3681789ae6c53a8a2b3868da356f

SHA1
e0f20a4c394bc895bd74b3a640c801c9eab083ea

SHA256
a1ca22b939b167816a2d3c327371d25bdd66f48df4fb16e7e6f2cf5da7d678b1

SHA512
a2d81cad15f7972b92ad70194e4255e46bff01a4357e99e38480ad6a4ce838c3a4a5f790b1fe3695f17da6de42bb867095681ca5c3358255da4f3899d6a86c25

Download Submit
C:\Windows\mssecsvc.exe

Filesize
32KB

MD5
cd3b14c112b49d7d56acd1fb5772421d

SHA1
3652283ec41c87ad622e2addb5319cb6118c5b4f

SHA256
ffbb5ae70df5d33222d1119539bc48114f20a0ea7dd36c4c813f99a79b02b9b5

SHA512
608a4ec7accef0547f4fe2e1c1649012957b8f8fd9676751471ae0e35d87693d4e90f0e6ee7b17c2895a97bf8534ad46be7fe85981b89001557c093cffe46b10

Download Submit
C:\Windows\tasksche.exe

Filesize
1.6MB

MD5
7fc9fe8cb299869f670b282a10632e39

SHA1
b5c341e9ee5947a49571291099976f02465be543

SHA256
931ebfeeca19ccaaa0307a29dd903902362945138c122df7f0605057be612275

SHA512
3c534db0f49b68e67e2caca8cb4ce8b6f64f00e425243468241d082cd5660aacd728668373ddef1a1e61acf87f8fbd26c8a058ce6bcb3866a71cbf287420d858

Download Submit