wannacry | a217bb27a47dc7eb7194d7da93d6b357f85414441f3125629789273d0b577302

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a217bb27a47dc7eb7194d7da93d6b357f85414441f3125629789273d0b577302.dll
Size

5.0MB
MD5

92707e45cda91db9515975f898c059a7
SHA1

fd39e8b44777c9c53f8f8f4c1605894fcb9c5aa2
SHA256

a217bb27a47dc7eb7194d7da93d6b357f85414441f3125629789273d0b577302
SHA512

16a0a3b3086531b34e3f3b867af64c91da7c051897dc1f260ad4655b5bb8aca9c69fe2395dd024e408e12dee6b50f7c9fd11c5672bde6cba791b1da262af7cd8
SSDEEP

98304:g8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HY:g8qPe1Cxcxk3ZAEUadzR8yc4HY

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (2388) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
460	mssecsvc.exe
2132	mssecsvc.exe
4856	tasksche.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 1520	4836	rundll32.exe	83
PID 4836 wrote to memory of 1520	4836	rundll32.exe	83
PID 4836 wrote to memory of 1520	4836	rundll32.exe	83
PID 1520 wrote to memory of 460	1520	rundll32.exe	84
PID 1520 wrote to memory of 460	1520	rundll32.exe	84
PID 1520 wrote to memory of 460	1520	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a217bb27a47dc7eb7194d7da93d6b357f85414441f3125629789273d0b577302.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a217bb27a47dc7eb7194d7da93d6b357f85414441f3125629789273d0b577302.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:460
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4856

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe

Filesize
3.6MB

MD5
0d641f769ca25633d672ba7a16dda642

SHA1
3679381142f21b6311f5821a705c5744366ff44f

SHA256
87f80025623df8ee2f54724492318168446b87b91d2db3c3108fced387390394

SHA512
e01695f12b8dd3a5bc76a5629fa8e38af803341099f2b9524a1e23be7f0d642d802f70a8f337d40e0b06f6ef4bd77cec51f38e1ccbac71885dde6fbdc945bd05

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
7f7ccaa16fb15eb1c7399d422f8363e8

SHA1
bd44d0ab543bf814d93b719c24e90d8dd7111234

SHA256
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA512
83e334b80de08903cfa9891a3fa349c1ece7e19f8e62b74a017512fa9a7989a0fd31929bf1fc13847bee04f2da3dacf6bc3f5ee58f0e4b9d495f4b9af12ed2b7

Download Submit
memory/460-4-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/460-10-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2132-7-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download
memory/2132-11-0x0000000000400000-0x0000000000A73000-memory.dmp

Filesize
6.4MB

Download