wannacry | 92e19d8feec6650171bd8d60954fc3af2d253002b64547ad22e4761ad74fdb90

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92e19d8feec6650171bd8d60954fc3af2d253002b64547ad22e4761ad74fdb90.dll
Size

5.0MB
MD5

3c3591eb1df1f5f60cc846685303fb58
SHA1

d0c3fd09e35ca27aa28099dd5c28f2f0b3f28e2b
SHA256

92e19d8feec6650171bd8d60954fc3af2d253002b64547ad22e4761ad74fdb90
SHA512

f23a38cd00a83bb35a707fd821fd7dd3b706c77fe36b1e03819c0a1cf61424b54163aae0741b7ae6cd14f8a0399c34738500eca897390baa04c102525099eaea
SSDEEP

49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:d8qPoBhz1aRxcSUDk36SAEdhvxWa9

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Contacts a large (3328) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2160	mssecsvc.exe
2284	mssecsvc.exe
2844	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3028	3008	rundll32.exe	31
PID 3008 wrote to memory of 3028	3008	rundll32.exe	31
PID 3008 wrote to memory of 3028	3008	rundll32.exe	31
PID 3008 wrote to memory of 3028	3008	rundll32.exe	31
PID 3008 wrote to memory of 3028	3008	rundll32.exe	31
PID 3008 wrote to memory of 3028	3008	rundll32.exe	31
PID 3008 wrote to memory of 3028	3008	rundll32.exe	31
PID 3028 wrote to memory of 2160	3028	rundll32.exe	32
PID 3028 wrote to memory of 2160	3028	rundll32.exe	32
PID 3028 wrote to memory of 2160	3028	rundll32.exe	32
PID 3028 wrote to memory of 2160	3028	rundll32.exe	32

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\92e19d8feec6650171bd8d60954fc3af2d253002b64547ad22e4761ad74fdb90.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\92e19d8feec6650171bd8d60954fc3af2d253002b64547ad22e4761ad74fdb90.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2160
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2844

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d21d12114f36cb9cd7af57659151d441

SHA1
93f5ea70785b7acf9127ee2dc9ab3a87b6d5d39a

SHA256
64ed73629dfaec5db575cfd5e55aaff90c081fe6901384f8ea443e158b75bacc

SHA512
0a5dfa54520606ce55657a5361ed08a1434c642eedb9cbf382bfe62b89be234b22182629a8b11131b50cfc0df9bb444b50902e3d4409cb5a7423caefd7d729ba

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
d7f2c9304928c99e1d6856fdf2e75f5f

SHA1
1b2bd87f52c95fa4e129b1ef25c8538d5d4be7b5

SHA256
26213e7fe08c90f11ed7e38c9be6a50d3fc4eadf884f4f06e51d7f20f71676b7

SHA512
091d342951d2c029e9f4c571eea9c58d27f092ca2b913ec8decaf4c823ad4af5e1a04fdf3b53b1a7dda2352b26e8a610b14e7c0bf03d46712e19e6a067e72d1f

Download Submit