wannacry | 86aa3b8be43d359a9e4cdedaf108e82409d204e1ef233ec22e6135c72d8cf16a

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

805b6b8559d83880b56b9678f973fc30N.dll
Size

5.0MB
MD5

805b6b8559d83880b56b9678f973fc30
SHA1

7ffbb8b15a952db197cd34508f88640aa5ab64e4
SHA256

86aa3b8be43d359a9e4cdedaf108e82409d204e1ef233ec22e6135c72d8cf16a
SHA512

83afe00fbc7f08a85f37ffc9f686dfb1ce9935c4f4a317c2e702ba1dfe78a5d35cb36deff5b6c242ce30767532d4b8592473c5a1da37d529826ed77aece8a10c
SSDEEP

24576:JbLgdeQhfdmMSirYbcMNgef0QeQjGdO6LLuYAMEcpc:JnjQqMSPbcBVQejdAMEc

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2474) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1804 mssecsvc.exe
4400 mssecsvc.exe
4944 tasksche.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
1804	mssecsvc.exe
4400	mssecsvc.exe
4944	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exemssecsvc.exemssecsvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2124 wrote to memory of 904	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 904	2124	rundll32.exe	rundll32.exe
PID 2124 wrote to memory of 904	2124	rundll32.exe	rundll32.exe
PID 904 wrote to memory of 1804	904	rundll32.exe	mssecsvc.exe
PID 904 wrote to memory of 1804	904	rundll32.exe	mssecsvc.exe
PID 904 wrote to memory of 1804	904	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\805b6b8559d83880b56b9678f973fc30N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\805b6b8559d83880b56b9678f973fc30N.dll,#1
2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1804

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4944

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
8e88b36518369f4d99f2208055587adb

SHA1
826283853d32159f1ac4ae530b8e1688a9f2117a

SHA256
25dad67d599ee6fd4c57f110a3939d04522d708382b2b242bbb03f8b61ada7db

SHA512
41c123ef772f5ed68e6af5f5da141db8562f8989496d97d089dc174b761e766bd3f4ca988deef3cace872dffd4dd8c758c48698f8cb35125b0378288642c488d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
062b5845bc23ede53dafc676c2000582

SHA1
be595d85cec4fd34620e50899f1ac94e010ffa90

SHA256
11bbf6fd6efc4598063edb011ac6481f48e37e527371e7771cd99c082cdd0665

SHA512
5e654eae06e8ed87f56f0ece2bc38cc05d1fa6a468127550aa7867a56597595cec6d23903a017dafb1e061ea41ef823b2308421757f79a8e089df414a43c51fe

Download Submit