wannacry | 1332b0403b4e49453eb41d93449190252ded6329b65fa93ef1472990e5a644e9

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-11-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1332b0403b4e49453eb41d93449190252ded6329b65fa93ef1472990e5a644e9N.dll
Size

5.0MB
MD5

81ad93e3753f33f27fca4fb024bc4060
SHA1

730036d7b9ab4bbfb4c14e0d43f1a22f31e70883
SHA256

1332b0403b4e49453eb41d93449190252ded6329b65fa93ef1472990e5a644e9
SHA512

67f968a31af18115d605fe217121ce3f204ab2dd85ce7074002f60e0d042679212c40ccbc3e5f8937f7cc96d6b6b034bc2ca3ec479711bf9aef6161413836732
SSDEEP

49152:JnjQqMSPbcBV0+TSqTdX1HkQo6SAuEauS:d8qPoBWcSUDk36SALS

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (2481) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2964	mssecsvc.exe
2772	mssecsvc.exe
2908	tasksche.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 2540	2744	rundll32.exe	30
PID 2744 wrote to memory of 2540	2744	rundll32.exe	30
PID 2744 wrote to memory of 2540	2744	rundll32.exe	30
PID 2744 wrote to memory of 2540	2744	rundll32.exe	30
PID 2744 wrote to memory of 2540	2744	rundll32.exe	30
PID 2744 wrote to memory of 2540	2744	rundll32.exe	30
PID 2744 wrote to memory of 2540	2744	rundll32.exe	30
PID 2540 wrote to memory of 2964	2540	rundll32.exe	31
PID 2540 wrote to memory of 2964	2540	rundll32.exe	31
PID 2540 wrote to memory of 2964	2540	rundll32.exe	31
PID 2540 wrote to memory of 2964	2540	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1332b0403b4e49453eb41d93449190252ded6329b65fa93ef1472990e5a644e9N.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1332b0403b4e49453eb41d93449190252ded6329b65fa93ef1472990e5a644e9N.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2964
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2908

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
e47560ca94d9cb04291a78a96358a8b2

SHA1
34175e7c4284f62c80cc2705fc87fcae36de0f29

SHA256
414cd376e41da650cdff328c78efe9152344e640fb1ab74655779bc72de6d248

SHA512
09910487cfe5e199db13840753fce8cc1e78e6fead43b3f3e79f379f0ef96b39cf0be52b5802e309299582e18bcc9ca858345457bdad32a4117489ba833fc6e3

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
4234d3d1f3bb927cca4f6ec68fae8788

SHA1
a0638d8e6513954a8675174525ff59cb274c2605

SHA256
4e22e67f1b911a772ca5e6aea29213f60a2409819f52f5db4d85c39165c990c2

SHA512
dc216570a186c5c4bb1b0257c46db2055f7aa49e1ffd09be8d6bf2299f9e12219273348d64b35e2ddc29ab4a81c11aa9157d7acfb13482dad1858a21799c329b

Download Submit