wannacry | fbc5b7d85db1bd0fa9e5f9733aa3f1101fdbc81c61e0d925a8a1aef448f745fe

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3150f664452bf26b4e13af7c4e8a86d.dll
Size

5.0MB
MD5

a3150f664452bf26b4e13af7c4e8a86d
SHA1

2b4d7652fc3b324e2fbfb86c04cd8226a170ce32
SHA256

fbc5b7d85db1bd0fa9e5f9733aa3f1101fdbc81c61e0d925a8a1aef448f745fe
SHA512

373395db998308ddf275622e6f1e938340f5bff5867e89de420e7566cbd37cbab3d4600b1a00f77b0b7b22146ad3b1439381c902459905ef06ac34b9d5ee2765
SSDEEP

49152:znAQqMSPbcBVQej/CWINRx+TSqTdX1HkQo6SAARdhnvxJM0H9:TDqPoBhzCWaRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3294) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid	Process
64	mssecsvc.exe
3700	mssecsvc.exe
3412	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exemssecsvc.exemssecsvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	Process	procid_target
PID 4964 wrote to memory of 3780	4964	rundll32.exe	86
PID 4964 wrote to memory of 3780	4964	rundll32.exe	86
PID 4964 wrote to memory of 3780	4964	rundll32.exe	86
PID 3780 wrote to memory of 64	3780	rundll32.exe	87
PID 3780 wrote to memory of 64	3780	rundll32.exe	87
PID 3780 wrote to memory of 64	3780	rundll32.exe	87

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3150f664452bf26b4e13af7c4e8a86d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a3150f664452bf26b4e13af7c4e8a86d.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:64
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3412

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f9a048cf60ff2fd56847e544d5269d4c

SHA1
5b77235acd1c0c4abc1ce8880ed2c8d01182a975

SHA256
8ef38fd47645923e59584e6a3785dc347bb464c56ec795cca1dcbdc907eebdd7

SHA512
d362c8dd72dfd151f20ec07c0f9bcf356ab20645a8186207ebbe72893ae3965697ff71efe2a21d6cf5e6debeb6a628728772ed965105ae2c7b87a242ec127f21

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
49a1efad0fe5a41305770ab838da8f23

SHA1
717dbd357df040362b59d2a1bb174398679d9462

SHA256
962ddcd4ca5a5727034dede53c3f5033923837d1e64301ca4b53e89e98254fda

SHA512
c96dcdd32b82070f8d33e297bf9dad7ae008704ddba5eff2d3f6193c69bd153d5ddb2131d85c8d9e4443051aea2cddbc9ca796b2029c8c8763e58b250fcebb16

Download Submit