wannacry | 568457a3f7f57435846704179136e37112f51ef842c3c5c5dc50126ef4f662a2

Analysis

max time kernel
165s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-03-2024 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

220725-dddnnabfh8.dll
Size

5.0MB
MD5

1af38678dc693d8653223ae4856fd2a4
SHA1

fa2dd12ab5ec307438b6fd10dbaab6d7e9622696
SHA256

568457a3f7f57435846704179136e37112f51ef842c3c5c5dc50126ef4f662a2
SHA512

c4eadd07c58aa50fe9656c1259e218ba430e7f2f6b6a84280b4f2122e70c40481c4f7346119f50e0028f8ee4f6a5484108d4cc35e80a0ab1f34da66edb38d4a1
SSDEEP

12288:jvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+D:LbLgddQhfdmMSirYbcMNgef0

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3029) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1616 mssecsvc.exe
3568 mssecsvc.exe
1500 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1616	mssecsvc.exe
3568	mssecsvc.exe
1500	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 880 wrote to memory of 2904	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 2904	880	rundll32.exe	rundll32.exe
PID 880 wrote to memory of 2904	880	rundll32.exe	rundll32.exe
PID 2904 wrote to memory of 1616	2904	rundll32.exe	mssecsvc.exe
PID 2904 wrote to memory of 1616	2904	rundll32.exe	mssecsvc.exe
PID 2904 wrote to memory of 1616	2904	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\220725-dddnnabfh8.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\220725-dddnnabfh8.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2904

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1616

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1500

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
590da9206761814afd7a9c560f7e78ff

SHA1
1ca5c3917d39d3e2a076dfd3852c1f323059b6d9

SHA256
de83d05c74abf769489dd1326e8ce83db138cb74b499098b50c1bc75d5d084d2

SHA512
736bf5cb314903db04f0f38f8c22d0e340f882f17869dc64a457859868ab0dd7062a1a8228ac7c29c1199a5aa0109c28c35c63e84087bd14852f5c2c7e60684e

Download Submit
C:\Windows\mssecsvc.exe

Filesize
2.1MB

MD5
f319f1dd234d560ddda279365d35ec0a

SHA1
07a28c82675d838eec4010f58438fd94ef565e19

SHA256
6177385751cd976688ba43f86a23225720e62cadff121683f00bf1240a670a80

SHA512
007fc9fbfb1fae99141b781b7c56b8485b8c59786cc4a8d6f5d35ec332659ea5922df7d33e6b88102d69e8bb13b85e0c96c7b8a2a467b7bcac3ae533bfe3cdee

Download Submit
C:\Windows\tasksche.exe

Filesize
1.6MB

MD5
b07c697642d5ca058e18ed77888e2c08

SHA1
77007d99ddb1fa3dc12e9ac1d196d763b5055cc1

SHA256
8d179730db241b1030a14ad04316aa729780f6d8b54913e39600c9e4b3e87671

SHA512
767f33fb103af0f50504dc0101bfcc703000beb376b976027a14110b9ae3c3c28c7d21bbb14d4b32271685e8fba816addbfc1ea437d2f4afeb48b8f1460dcec0

Download Submit
memory/1616-4-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/1616-9-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/3568-10-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download