wannacry | eeb4d095615c2faa4a25c9d3ddd7e056c0f1a596917f48d4351e0fed2040685c

Analysis

max time kernel
150s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab9a8b13426052f871ad2473ca727445.dll
Size

5.0MB
MD5

ab9a8b13426052f871ad2473ca727445
SHA1

402bad956a2c54c8f4b32d255df723fc9f297089
SHA256

eeb4d095615c2faa4a25c9d3ddd7e056c0f1a596917f48d4351e0fed2040685c
SHA512

6ab7ae1803632b5e348614a71b58c240274da09192ece086108b70f340ce4afa4dd2836e8749e10e87def27da6928949a07ded505fc1ffa21e976f72b50b95c6
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhnvx:+DqPoBhz1aRxcSUZk36SAEdhvx

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2675) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4288 mssecsvc.exe
3732 mssecsvc.exe
2804 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4288	mssecsvc.exe
3732	mssecsvc.exe
2804	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3148 wrote to memory of 4752	3148	rundll32.exe	rundll32.exe
PID 3148 wrote to memory of 4752	3148	rundll32.exe	rundll32.exe
PID 3148 wrote to memory of 4752	3148	rundll32.exe	rundll32.exe
PID 4752 wrote to memory of 4288	4752	rundll32.exe	mssecsvc.exe
PID 4752 wrote to memory of 4288	4752	rundll32.exe	mssecsvc.exe
PID 4752 wrote to memory of 4288	4752	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab9a8b13426052f871ad2473ca727445.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab9a8b13426052f871ad2473ca727445.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4752

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4288

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2804

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
76c9ea6eb26472d7c6adae1de0da9627

SHA1
994583dfc53576fbaedba77baa71b123b0540cea

SHA256
93cc8628417711f799d8239284c81d5589453afe196b87079c8ddb24b8e6a6d3

SHA512
18a3fee23d1b3d10ff841eee1ea5bdf39f84a2c85e7fb1bb97bc47efbba547d2928b1fa3ce832d5fec291572e82d6b7e74b2b2a862b2fbc1fd051afda4d2de45

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
d9ab07fdbd01e1673d4732789453ba5e

SHA1
8586e13eb3cc100621e313e095eb866d599e16dd

SHA256
619777a0df4d2d6dffaeb1355391d9cf89b4a52addaf23d2f2f9961ea9dcbed6

SHA512
c80850f612abbb8e3085f1cef55ba38b874a3f80ae24d168e515b41b64d90ce6696023bfa2298f5aad1da8f0777e4d046afc7d0100cd1dfd29a4fe44283e3393

Download Submit