{"id":2806,"date":"2021-07-12T09:02:00","date_gmt":"2021-07-12T07:02:00","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2806"},"modified":"2026-06-08T22:17:43","modified_gmt":"2026-06-08T22:17:43","slug":"wannamine-worm-analysis-intervention","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/wannamine-worm-analysis-intervention\/","title":{"rendered":"WannaMine worm: analysis and intervention"},"content":{"rendered":"\n\n\n<div class=\"wp-block-media-text alignwide\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/monero-1024x682.png\" alt=\"\" class=\"wp-image-2839\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p style=\"text-align: justify\">Our team recently detected, analysed and managed a compromise attempt by <strong>WannaMine<\/strong> malware.<\/p>\n\n\n\n<p style=\"text-align: justify\">WannaMine is a <strong>Worm<\/strong>-type malware (known since 2017) whose purpose is to propagate within corporate networks and perform <strong>cryptocurrency mining (Monero)<\/strong> on all compromised systems.<\/p>\n<p style=\"text-align: justify\">Its propagation capabilities via <strong>valid credentials<\/strong> (Mimikatz and Empire modules) and exploitation of <strong>SMB<\/strong> protocol vulnerabilities (<strong>EternalBlue<\/strong> <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2017-0144\">CVE-2017-0144<\/a>) render <strong>Incident Response<\/strong> activities more complex. Furthermore, the almost entirely <em>fileless<\/em> structure of the malware enables it to bypass classic Endpoint protections.<\/p>\n<\/div><\/div>\n\n\n\n<p style=\"text-align: justify\">Analysis of the sample enabled our analysts to obtain information on the Worm&#8217;s compromise and propagation methods as well as the <strong>Monero Wallet<\/strong> address associated with this criminal group: 46gVfDm99aq9JqESFxXFp5AyFCZPHsbTn48dWAtVASddf4TmhQMkxvQadhKPvAjszJV8cQKVHHLQ7WpNrh33ogkGUPHhpVP<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<p style=\"text-align: justify\">Some of the <strong>Tactics<\/strong> and <strong>Techniques<\/strong> associated with WannaMine Worm compromise:<\/p>\n\n\n\n<div class=\"wp-block-group alignwide\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<table style=\"border-collapse: collapse;width: 100%;height: 198px\">\n<tbody>\n<tr style=\"height: 25px\">\n<td style=\"width: 33.3333%;height: 25px;background-color: #20214f;text-align: center\"><span style=\"color: #ffffff\"><strong>Tattica<\/strong><\/span><\/td>\n<td style=\"width: 33.3333%;height: 25px;background-color: #20214f;text-align: center\"><span style=\"color: #ffffff\"><strong>ID Tecnica<\/strong><\/span><\/td>\n<td style=\"width: 33.3333%;height: 25px;background-color: #20214f;text-align: center\"><span style=\"color: #ffffff\"><strong>Nome Tecnica<\/strong><\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px\">\n<td style=\"width: 33.3333%;height: 50px\" rowspan=\"2\"><strong>Initial Access<\/strong><\/td>\n<td style=\"width: 33.3333%;height: 25px\"><span>T1189<\/span><\/td>\n<td style=\"width: 33.3333%;height: 25px\">Drive-by Compromise<\/td>\n<\/tr>\n<tr style=\"height: 25px\">\n<td style=\"width: 33.3333%;height: 25px\"><span>T1566.001<\/span><\/td>\n<td style=\"width: 33.3333%;height: 25px\">Spearphishing Attachments<\/td>\n<\/tr>\n<tr style=\"height: 25px\">\n<td style=\"width: 33.3333%;height: 25px\"><strong>Persistence<\/strong><\/td>\n<td style=\"width: 33.3333%;height: 25px\"><span> T1546.003<\/span><\/td>\n<td style=\"width: 33.3333%;height: 25px\">Windows Management Instrumentation Event Subscription<\/td>\n<\/tr>\n<tr style=\"height: 25px\">\n<td style=\"width: 33.3333%;height: 25px\"><strong>Credential Access<\/strong><\/td>\n<td style=\"width: 33.3333%;height: 25px\"><span>T1003.001<\/span><\/td>\n<td style=\"width: 33.3333%;height: 25px\">OS Credential Dumping<\/td>\n<\/tr>\n<tr style=\"height: 48px\">\n<td style=\"width: 33.3333%;height: 48px\" rowspan=\"2\"><strong>Lateral Movement<\/strong><\/td>\n<td style=\"width: 33.3333%;height: 48px\"><span>T1210<\/span><\/td>\n<td style=\"width: 33.3333%;height: 48px\">Exploitation of Remote Services<\/td>\n<\/tr>\n<tr style=\"height: 25px\">\n<td style=\"width: 33.3333%;height: 25px\"><span> T1021.002<\/span><\/td>\n<td style=\"width: 33.3333%;height: 25px\">Remote Services<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div><\/div>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<p style=\"text-align: justify\">The malware, known since 2017, has undergone several modifications and is present in the wild with different variants<span> and functionalities.\u200e<\/span><\/p>\n<p><strong>Article index:<\/strong><\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">Compromise Chain Analysis<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Compromise Initiation<\/h3>\n\n\n\n<p style=\"text-align: justify\">The attack vector used by the Worm is, with high probability, represented by <strong>Drive-By Compromise<\/strong> activity. Execution of the <strong>dropper<\/strong> (a Powershell script, <strong>in6.ps1<\/strong>) on the system triggers a long chain of events responsible for malware installation.<\/p>\n\n\n\n<p style=\"text-align: justify\">The first part of the code is used to bypass the Windows <em>Anti-Malware Scan Interface<\/em> (<strong>AMSI<\/strong>).<\/p>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-8-1024x279.png\" alt=\"\" class=\"wp-image-2812\" loading=\"lazy\" \/><figcaption>AMSI Bypass<\/figcaption><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">Within the dropper is a list of server URLs used for malware download during <em><strong>Lateral Movement<\/strong><\/em> activities:\u200e<\/p>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-9.png\" alt=\"\" class=\"wp-image-2813\" loading=\"lazy\" \/><figcaption>Dropper address list<\/figcaption><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">The remaining code contains instructions for cryptominer installation on the system:<\/p>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-10.png\" alt=\"\" class=\"wp-image-2814\" loading=\"lazy\" \/><figcaption>Code to extract artefacts from the $fa variable<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Persistence<\/h3>\n\n\n\n<p style=\"text-align: justify\">The malware establishes persistence through the registration of <strong>Windows Management Instrumentation<\/strong> (<strong>WMI<\/strong>) events. WMI can be used to execute code when a specific event occurs.<\/p>\n<p style=\"text-align: justify\">For example, it is possible to trigger a command at a certain time of day, at user logon, or after a certain period of system inactivity. In this way, an event can be registered and arbitrary code executed when that event occurs, providing a perfect persistence mechanism.<\/p>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-11.png\" alt=\"\" class=\"wp-image-2817\" loading=\"lazy\" \/><figcaption>Persistence<\/figcaption><\/figure><\/div>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>SCM Event8 Log Consumer<\/strong> executes approximately every 4 hours to resume the infection process in case the process previously failed;<\/li><li><strong>SCM Event8 Log Consumer2<\/strong> executes 4\/5 minutes after system startup.<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-12-1024x455.png\" alt=\"\" class=\"wp-image-2818\" loading=\"lazy\" \/><figcaption>WMI event subscription setup<\/figcaption><\/figure><\/div>\n\n\n\n<h3 class=\"wp-block-heading\">Lateral Movement<\/h3>\n\n\n\n<p style=\"text-align: justify\"><em><strong>Lateral movement<\/strong><\/em> is executed through the <strong>funs<\/strong>, <strong>mimi<\/strong>, and <strong>sc<\/strong> artefacts extracted from the <strong>$fa<\/strong> variable.<\/p>\n\n\n\n<p style=\"text-align: justify\"><strong>Funs<\/strong> is a PowerShell file containing all the functions necessary to infect other systems on the network.<br>Much of the <strong>funs<\/strong> code originates from the <strong>Empire<\/strong> framework.<br>Through <strong>Get-creds<\/strong>, it uses the <strong>mimi<\/strong> artefact, containing Mimikatz code, to extract usernames and passwords from the system. Subsequently, it uses <strong>test-net<\/strong>, to which an array with Class B and C IPs identified on the network is passed.<\/p>\n<p style=\"text-align: justify\">This function initiates propagation activity across internal corporate networks, a pattern we observed through <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> telemetry showing WMI-based lateral movement across multiple subnets:<\/p>\n\n\n\n<div class=\"wp-block-image caption-align-center\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-14.png\" alt=\"\" class=\"wp-image-2826\" loading=\"lazy\" \/><figcaption>Get-creds call passing Mimikatz as argument and use of test-net<\/figcaption><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\"><span> \u200e<\/span>The script contains a series of propagation mechanisms (in order of execution):<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Remote execution with WMI<\/li><li>Remote execution with Samba<\/li><li>Exploitation of the EternalBlue vulnerability, in which it uses the <strong>sc<\/strong> artefact as shellcode.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Cryptocurrency mining<\/h3>\n\n\n\n<p style=\"text-align: justify\">To execute Monero mining activity, the malware uses two artefacts: <strong>mon<\/strong> and <strong>mue<\/strong>.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">First method &#8211; MON<\/h5>\n\n\n\n<p style=\"text-align: justify\">\u200eAs a first attempt, the worm executes the <strong>mon<\/strong> artefact in <strong>fileless<\/strong> mode; the code is embedded in the <strong>systemcore_Updater8<\/strong> class, which is invoked via PowerShell. \u200e<\/p>\n<p style=\"text-align: justify\">The code is a copy of the open-source miner <strong>XMRig<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">XMRig software configuration:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Cryptocurrency<\/strong>: Monero<\/li><li><strong>Wallet<\/strong>: 46gVfDm99aq9JqESFxXFp5AyFCZPHsbTn48dWAtVASddf4TmhQMkxvQadhKPvAjszJV8cQKVHHLQ7WpNrh33ogkGUPHhpVP<\/li><li><strong>Pool addresses<\/strong>: <ul><li>xmr-eu1.nanopool.org:14444<\/li><li>xmr-asia1.nanopool.org:14444<\/li><li>xmr-eu2.nanopool.org:14444<\/li><li>xmr-us-east1.nanopool.org:14444<\/li><li>xmr-us-west1.nanopool.org:14444<\/li><li>pool.minexmr.com:80<\/li><li>sg.minexmr.com:80<\/li><li>ca.minexmr.com:80<\/li><\/ul><\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/MicrosoftTeams-image.png\" alt=\"\" class=\"wp-image-2823\" loading=\"lazy\" \/><figcaption>mon (XMRig) configuration extract<\/figcaption><\/figure><\/div>\n\n\n\n<p style=\"text-align: justify\">The artifact <strong>ring<\/strong> is then installed on the system under the name WinRing0x64.sys.<br>This is a Microsoft driver used by mon to optimise the RandomX Monero mining algorithm.<br>The driver, although legitimate, contains several vulnerabilities that if exploited would allow an attacker to obtain SYSTEM privileges.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">Second method &#8211; MUE<\/h5>\n\n\n\n<p style=\"text-align: justify\">\u200eIf the first execution does not succeed, <strong>WannaMine<\/strong> executes a different artifact, placing the file on disk via <strong>WMI<\/strong>, naming it <strong>mue.exe<\/strong> (system path C:\\Windows\\system32). \u200e<br>The executable is an obsolete version of <strong>XMRig<\/strong> that does not leverage the WinRing0x64.sys driver.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-13.png\" alt=\"\" class=\"wp-image-2825\" loading=\"lazy\" \/><figcaption>Disk write and execution of mue.exe<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<h2 class=\"wp-block-heading\">Static Analysis<\/h2>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><span style=\"background-color:#052158\" class=\"has-inline-background\"><span style=\"color:#ffffff\" class=\"tadv-color\">Script: in6.ps1<\/span><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"> Description<\/h4>\n\n\n\n<p style=\"text-align: justify\"><strong>PowerShell<\/strong> file acting as a dropper.<br>It contains a variable <strong>$fa<\/strong> holding code encoded in Base64 used to extract all artifacts required for compromise.<br>A second code section is present with multiple obfuscation layers inserted to evade detection by AntiVirus endpoint protection solutions.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"> Details <\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td>md5<\/td><td>B73E5BF7274478FB8FA6CE94AF3F6921<\/td><\/tr><tr><td>sha1<\/td><td>98BFD0AC4EE3469A331B4C99436B532E7D18B4D6<\/td><\/tr><tr><td>sha256<\/td><td>3562E13CF2C2B0416B22286217602632A421AC6560FC3E4F9EBF8D13A19CA97E<\/td><\/tr><tr><td>file-size&nbsp;<\/td><td>13 946 596 (bytes)<\/td><\/tr><tr><td>entropy<\/td><td>4.000<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#002060\" class=\"tadv-background-color\"> Script: Funs <\/span><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"> Description<\/h4>\n\n\n\n<p style=\"text-align: justify\">File containing <strong>PowerShell<\/strong> script with auxiliary functions including those for <strong>Lateral Movement<\/strong>. Many of these functions are derived from frameworks such as <strong>Empire<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"> Details <\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td>md5<\/td><td>03A5E1B8680B44A07DAAE5D5517FB38F<\/td><\/tr><tr><td>sha1<\/td><td>903AE5A3895D58FFAA384E926B581DCAD1C8CAB3<\/td><\/tr><tr><td>sha256<\/td><td>809FE2FCCDDF5C788812F1CB18B76F0F1BA4BB8AD1CF24F55A5B95E6225E891C<\/td><\/tr><tr><td>file-size<\/td><td>450 722 (bytes)<\/td><\/tr><tr><td>entropy<\/td><td>5.181<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#002060\" class=\"tadv-background-color\"> Executable: mimi <\/span><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"> Description<\/h4>\n\n\n\n<p style=\"text-align: justify\">Contains <strong>Mimikatz<\/strong>, is a binary file and is executed via reflected injection so as not to be written to disk. It is used to extract credentials present on the system.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"> Details <\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td>md5<\/td><td>1A89B3DEBD2B8F45B04A12116893BC9C<\/td><\/tr><tr><td>sha1<\/td><td>3147D48F8AEC7615CC803E449F3FF688663395F8<\/td><\/tr><tr><td>sha256<\/td><td>EE8275A57D7A80427131D126A19862D6889AB409F7EC4293721E3BD15AA11C9E<\/td><\/tr><tr><td>file-size<\/td><td>1 293 314 (bytes)<\/td><\/tr><tr><td>entropy<\/td><td>4.536<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><span style=\"background-color:#002060\" class=\"tadv-background-color\"> <span style=\"color:#ffffff\" class=\"tadv-color\">Executable: mon <\/span><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"> Description<\/h4>\n\n\n\n<p style=\"text-align: justify\">Contains a version of the open-source XMRig software, which is a cryptocurrency miner. It is executed in memory via PowerShell without being written to disk.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"> Details <\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td>md5<\/td><td>AE8A82C77FD56390B76F6B756DAD101C<\/td><\/tr><tr><td>sha1<\/td><td>DA0CC3211B27616BFE3F9618658C14B65AAB97E2<\/td><\/tr><tr><td>sha256<\/td><td>6DFCE5506FFBECE1CC1DD6AE05D7D4022AC6A73E0EC247A100FA32B04EDFFCF7<\/td><\/tr><tr><td>file-size<\/td><td>2715138 (bytes)<\/td><\/tr><tr><td>entropy<\/td><td>4.800<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#002060\" class=\"tadv-background-color\"> Executable: WinRing0x64.sys <\/span><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"> Description<\/h4>\n\n\n\n<p style=\"text-align: justify\">Legitimate driver used by <strong>mon<\/strong> to optimise mining performance. Despite being a legitimate driver, it contains <em><strong>Privilege Escalation<\/strong><\/em> vulnerabilities; its installation renders the system less secure.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"> Details <\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td>md5<\/td><td>0C0195C48B6B8582FA6F6373032118DA<\/td><\/tr><tr><td>sha1<\/td><td>D25340AE8E92A6D29F599FEF426A2BC1B5217299<\/td><\/tr><tr><td>sha256<\/td><td>11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5<\/td><\/tr><tr><td>file-size<\/td><td>14544 (bytes)<\/td><\/tr><tr><td>entropy<\/td><td>6.266<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#002060\" class=\"tadv-background-color\"> Executable: mue.exe <\/span><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"> Description<\/h4>\n\n\n\n<p style=\"text-align: justify\">Designed to inject the payload into a legitimate process via process hollowing. The injected payload is a version of XMRig.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"> Details <\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td>md5<\/td><td>D1AED5A1726D278D521D320D082C3E1E<\/td><\/tr><tr><td>sha1<\/td><td>EFDB3916C2A21F75F1AD53B6C0CCDF90FDE52E44<\/td><\/tr><tr><td>sha256<\/td><td>0A1CDC92BBB77C897723F21A376213480FD3484E45BDA05AA5958E84A7C2EDFF<\/td><\/tr><tr><td>file-size<\/td><td>2863616 (bytes)<\/td><\/tr><tr><td>entropy<\/td><td>7.952<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"has-text-align-center wp-block-heading\"><span style=\"color:#ffffff\" class=\"tadv-color\"><span style=\"background-color:#002060\" class=\"tadv-background-color\"> Executable: sc <\/span><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"> Description<\/h4>\n\n\n\n<p><strong>Shellcode<\/strong> for exploiting the <strong>EternalBlue<\/strong> vulnerability. Used for <strong><em>Lateral Movement<\/em><\/strong> operations.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"> Details <\/h4>\n\n\n\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"\"><tbody><tr><td>md5<\/td><td>777D2A050AB7FACE761C1A6449913BAA<\/td><\/tr><tr><td>sha1<\/td><td>061C3DF042325F69BB966ADAEC6D78742DDE2036<\/td><\/tr><tr><td>sha256<\/td><td>9CDB5020DF269828480D77FE03758EF70046A71B11D4C8182BA5465C877715D0<\/td><\/tr><tr><td>file-size<\/td><td>2413 (bytes)<\/td><\/tr><tr><td>entropy<\/td><td>5.260<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>WannaMine cryptominer worm: lateral movement via EternalBlue, Mimikatz credential harvesting, persistence mechanisms and the field intervention to remediate a long-running compromise.<\/p>\n","protected":false},"author":1,"featured_media":2839,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[86,3139,126,131,201,228,229,233,387,392,433],"class_list":["post-2806","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-criptomining","tag-cryptominer","tag-empire","tag-eternalblue","tag-lateral-movement","tag-mimikatz","tag-mining","tag-monero","tag-wannamine","tag-wmi","tag-worm"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2806","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2806"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2806\/revisions"}],"predecessor-version":[{"id":9849,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2806\/revisions\/9849"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2806"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2806"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2806"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}