wannacry | 50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb_NeikiAnalytics.dll
Size

5.0MB
MD5

5dc67f894b80e515c349d40f47bccb34
SHA1

13c8d42e174455eb0635cd31e29365c1e81f3f8b
SHA256

50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb
SHA512

fd78dcbc8f0245a4b5ba49758c38dec83bc3258093ead7a9f444197f60c870b2060836a6a021875c44f54871c502ffe6bb127d1c4882388fa7bac9485c93f585
SSDEEP

49152:SnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+8qPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3226) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2724 mssecsvc.exe
2064 mssecsvc.exe
2704 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2724	mssecsvc.exe
2064	mssecsvc.exe
2704	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

mssecsvc.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1728 wrote to memory of 2596	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2596	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2596	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2596	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2596	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2596	1728	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2596	1728	rundll32.exe	rundll32.exe
PID 2596 wrote to memory of 2724	2596	rundll32.exe	mssecsvc.exe
PID 2596 wrote to memory of 2724	2596	rundll32.exe	mssecsvc.exe
PID 2596 wrote to memory of 2724	2596	rundll32.exe	mssecsvc.exe
PID 2596 wrote to memory of 2724	2596	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb_NeikiAnalytics.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\50844c4adfc9e7c234938c513cd5fca3c24f9ac7f3bd017c489a1c107db1f4fb_NeikiAnalytics.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2596

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2724

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2704

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
f6fa001fefb1871496a48e9e867151ae

SHA1
d56486a0bf4ba8e7c44aecae6a9a79d81412b428

SHA256
21dc73fdf73fc5a3b9d578ae328411517dc3ab0974be32b0310feb112c63d751

SHA512
b9f9ff8134b6e53f7aceffa89c9a295f146b911c9f3f46216022ad044bcd10dd7796a88e9d966bfed02fbde2250200d3255599baf85f709293de69828292e1bd

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
3a4580061b9ebc4436c0087538d18b17

SHA1
1736863b07f6314c821bf77d8c7f61792d1339b7

SHA256
7303c2b9de9432439804eb397e48d2ef80549781b43c9e7666a8a6c2a42f8ed2

SHA512
baed786b93022b1dc4c36c79bc813758744e5f031cc2f0ab266553456e42b94f05ad1de67009129407abfd32c82a437c89938b6487f736df011d462b985b260d

Download Submit