wannacry | 9443b99b4839e7df78a09682c686ff54464d3edd9635bd05cf3c5e6211215c85

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9443b99b4839e7df78a09682c686ff54464d3edd9635bd05cf3c5e6211215c85.dll
Size

5.0MB
MD5

7823636f9ce01306178c1ee7772ad831
SHA1

8895257915c33299a6bc30b064267d5959aa4440
SHA256

9443b99b4839e7df78a09682c686ff54464d3edd9635bd05cf3c5e6211215c85
SHA512

bba25f09d4e6162a9d013343bec1b71fb1737e97bd3816fca3f366a33fdc3eee93bd6c6eb3097e7efed02aa325f55312fd6e1aff039b07d43d9376747b120e54
SSDEEP

12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DWe:SbLgddQhfdmMSirYbcMNgef0Z

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3254) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

3036 mssecsvc.exe
2344 mssecsvc.exe
2664 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
3036	mssecsvc.exe
2344	mssecsvc.exe
2664	tasksche.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E73BD89C-0947-4FFE-9350-8BB7A5ED8355}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E73BD89C-0947-4FFE-9350-8BB7A5ED8355}\WpadDecisionTime = e0c791f2f6cdda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-5c-d1-91-35-12\WpadDecisionTime = e0c791f2f6cdda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E73BD89C-0947-4FFE-9350-8BB7A5ED8355}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-5c-d1-91-35-12	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-5c-d1-91-35-12\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-5c-d1-91-35-12\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E73BD89C-0947-4FFE-9350-8BB7A5ED8355}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E73BD89C-0947-4FFE-9350-8BB7A5ED8355}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E73BD89C-0947-4FFE-9350-8BB7A5ED8355}\0a-5c-d1-91-35-12	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2484 wrote to memory of 2984	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 2984	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 2984	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 2984	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 2984	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 2984	2484	rundll32.exe	rundll32.exe
PID 2484 wrote to memory of 2984	2484	rundll32.exe	rundll32.exe
PID 2984 wrote to memory of 3036	2984	rundll32.exe	mssecsvc.exe
PID 2984 wrote to memory of 3036	2984	rundll32.exe	mssecsvc.exe
PID 2984 wrote to memory of 3036	2984	rundll32.exe	mssecsvc.exe
PID 2984 wrote to memory of 3036	2984	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9443b99b4839e7df78a09682c686ff54464d3edd9635bd05cf3c5e6211215c85.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9443b99b4839e7df78a09682c686ff54464d3edd9635bd05cf3c5e6211215c85.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2984

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3036

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2664

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
15527dc4d7c60836e7f3458073fa8be9

SHA1
8d06fc2029c35e27069ddb6fd22b167f7fbe4b09

SHA256
864ab3e65fcc93d75cea25920a24cd068cbd9a5b6d6f25bf625fc4e4e070848b

SHA512
90117053131d77eda07bc5279535dcc0de5af787564c993878a2b006d85332675341bbcf4aaaa1c45a77c7fefa63262e9a9bff68aecb2d5ce5ed249cf21b30d2

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a8ce75464228a717b735cf3105a702a9

SHA1
e13da728e8e1461b05a670bf8af87fb22e83f2bd

SHA256
b474d51deda614d1af02d050e2a1ab65388831baef98cd225273d112e55bb990

SHA512
40996e61585b8386c6a4b8ab5f97213a27e138c2f7fb0a14a0b51415b9888eb869e960840a17077a4c1276b4ce9fa7a9710511f44c5179ea2fad1f7f2bd24baa

Download Submit