wannacry | ab30576101a7677a2e946d8000b13fa92e99a42cc63e750457495eada8934464

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab30576101a7677a2e946d8000b13fa92e99a42cc63e750457495eada8934464.dll
Size

5.0MB
MD5

9aae6412b2dfc9ed503e6c7123e95579
SHA1

0582e125d46b2f1170aa4a3ee2a7d9117ca06b8a
SHA256

ab30576101a7677a2e946d8000b13fa92e99a42cc63e750457495eada8934464
SHA512

4fc0d530ba7df7898bdeadc28ad9f8dd80d809515868dd5e417190b3f23ef6a7c3f89e73010781c95a57e29de4f630c7b95ebff6eea4023afdb41ac4cdd103a9
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3168) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4812 mssecsvc.exe
3244 mssecsvc.exe
1704 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4812	mssecsvc.exe
3244	mssecsvc.exe
1704	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1464 wrote to memory of 4108	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 4108	1464	rundll32.exe	rundll32.exe
PID 1464 wrote to memory of 4108	1464	rundll32.exe	rundll32.exe
PID 4108 wrote to memory of 4812	4108	rundll32.exe	mssecsvc.exe
PID 4108 wrote to memory of 4812	4108	rundll32.exe	mssecsvc.exe
PID 4108 wrote to memory of 4812	4108	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab30576101a7677a2e946d8000b13fa92e99a42cc63e750457495eada8934464.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ab30576101a7677a2e946d8000b13fa92e99a42cc63e750457495eada8934464.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4108

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4812

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1704

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f5f79a6d2c9268979b23a5737e29eabd

SHA1
456a78b6e2cbb04b96c61b94549201478a0cead8

SHA256
14b07228402db4e997df65facfb306216e65e34daf496c2a2150d4602f4c1021

SHA512
3296ba6ceb0f4de57ac5cb62c02889a889f8d0a1327f3831f23903f4b5c8f42a06a2111ebb8bb5160ed5fccc819d613167067786f1a54231af49887e281f7a83

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
adb6baed15df3b7b9a1eed008391edb6

SHA1
b3dc3a2ea720105cfdfd9552d339c1371e8d109e

SHA256
bcb589f1f9544b5123b3f61457f9e2461a3e1d04b3d816530ccc464750ba2af0

SHA512
27c7e4611da6814587882ac7c9c1904db0a75442b31ac03e93296a0b5cc2d8038b1350ed46e46d4459214b059e6f51ac5dd0951c00a8ad0a1c5071d645ac4027

Download Submit