wannacry | 5f77ec5a76d7aeedf0071714d72c6e012db30ac40b9f26793f5aae58b6267197

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f77ec5a76d7aeedf0071714d72c6e012db30ac40b9f26793f5aae58b6267197.dll
Size

5.0MB
MD5

508a10e644641d0663201a34d1f34a3e
SHA1

938032b48266a294ac966a632bf39510112ee052
SHA256

5f77ec5a76d7aeedf0071714d72c6e012db30ac40b9f26793f5aae58b6267197
SHA512

c7bff89cca236eec09f8c736f8bed56c0b17314397053b610c29e274c97b660b725a847dd622f306c1ac3bf7d91b0baceb078664270ae7da522b9fde9dd6a24b
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEa593R8yAVp2H:TDqPe1Cxcxk3ZAEazR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3207) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2264	mssecsvc.exe
3388	mssecsvc.exe
3068	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1460	1220	rundll32.exe	83
PID 1220 wrote to memory of 1460	1220	rundll32.exe	83
PID 1220 wrote to memory of 1460	1220	rundll32.exe	83
PID 1460 wrote to memory of 2264	1460	rundll32.exe	84
PID 1460 wrote to memory of 2264	1460	rundll32.exe	84
PID 1460 wrote to memory of 2264	1460	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f77ec5a76d7aeedf0071714d72c6e012db30ac40b9f26793f5aae58b6267197.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5f77ec5a76d7aeedf0071714d72c6e012db30ac40b9f26793f5aae58b6267197.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2264
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:3068

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
1147ea38fa9c8262147edfca8d05c25b

SHA1
c269024fff089b2df3939b934ca8ee75cc40d6b7

SHA256
0a9ec2f6c2c9acf8b0d69e4478951ddfadfc2f7208a564ebfae9d28738c51e5f

SHA512
f26fc6d40d5976cf7163cca2255f1d56d623cdb58d4a6df40b112b210cd128624d0d5947723c15152c57e109ea5e5332ae2edb037a843c9d4b2882fa844f2086

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
8db30a1308d4b53a26a76b814813b8b4

SHA1
61791a7326af11ef6bbe3007dec1d43d172edd8b

SHA256
ced6e1ab61223c75546bc6c10abfdf75419a8092a7803789817052d48ddf0714

SHA512
1bbd5ccb904aeca6dc9eb42d6f75925175cbbc13ced43f6d4bf999fcefb56d033c5e27bfd13efb493e76ec50aa8b01e6cc07f53102f83411b32c6c29cf269750

Download Submit