wannacry | df6d5b29a97647bca44e2306069f7675ef992f591c8c761af99bbdc17cfa7692

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

996c2b2ca30180129c69352a3a3515e4 (1).dll
Size

5.0MB
MD5

996c2b2ca30180129c69352a3a3515e4
SHA1

6d788a5a77719ef3157c409108909da2456bf996
SHA256

df6d5b29a97647bca44e2306069f7675ef992f591c8c761af99bbdc17cfa7692
SHA512

da2acf9fd0553b473802b6dd8cf35a0ac4e734f0a790f9c260db06f46f84ff452bd888297f662540bf60a895a3f196368d3e24d13dd9e0d4ca9e83d3cc1076de
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPe1Cxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3191) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2524 mssecsvc.exe
3272 mssecsvc.exe
3340 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
2524	mssecsvc.exe
3272	mssecsvc.exe
3340	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2488 wrote to memory of 4868	2488	rundll32.exe	rundll32.exe
PID 2488 wrote to memory of 4868	2488	rundll32.exe	rundll32.exe
PID 2488 wrote to memory of 4868	2488	rundll32.exe	rundll32.exe
PID 4868 wrote to memory of 2524	4868	rundll32.exe	mssecsvc.exe
PID 4868 wrote to memory of 2524	4868	rundll32.exe	mssecsvc.exe
PID 4868 wrote to memory of 2524	4868	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\996c2b2ca30180129c69352a3a3515e4 (1).dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\996c2b2ca30180129c69352a3a3515e4 (1).dll",#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4868

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2524

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:3340

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
7339a0efc768310a86b6d4f61d88b910

SHA1
05cebfdb6729ed57ca111ae18b645335af7cf006

SHA256
74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0

SHA512
83a892c1680f94d6422665f4374885350dd887add35f54fb6c1e11b2a99e04e5794fb56b1c3858da32dca86da01e5d842b3d489df84f54dc929f62c238c002fd

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit