wannacry | 749eaa7de1b56feff6b790d65516822326f56ecff68bb7ce14ce410a4fe24646

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2022 23:35

Target

e01c3d5341904df74c97c4381c59b48d.dll
Size

5.0MB
MD5

e01c3d5341904df74c97c4381c59b48d
SHA1

6f5d96ec6b0c757bf288f7d322a546bac131c465
SHA256

749eaa7de1b56feff6b790d65516822326f56ecff68bb7ce14ce410a4fe24646
SHA512

e5e3ae53fcd67f12def785e51944cb76e41ab3ea0b78baa1e54769abdd6e2d7aa0e42f7a5560291b409c96eed9dbd279393fca106ca170d1633081dc3db7a379

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3229) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

4704 mssecsvr.exe
1460 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
4704	mssecsvr.exe
1460	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2136 wrote to memory of 4544	2136	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 4544	2136	rundll32.exe	rundll32.exe
PID 2136 wrote to memory of 4544	2136	rundll32.exe	rundll32.exe
PID 4544 wrote to memory of 4704	4544	rundll32.exe	mssecsvr.exe
PID 4544 wrote to memory of 4704	4544	rundll32.exe	mssecsvr.exe
PID 4544 wrote to memory of 4704	4544	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e01c3d5341904df74c97c4381c59b48d.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2136

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\WINDOWS\mssecsvr.exe
Filesize
3.6MB

MD5
7b95b65f19ea524a91aa51c5e31b9fe7

SHA1
238dcc422df18fa90787efd69ef2a35de53b8cfb

SHA256
6a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24

SHA512
34e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec

Download Submit
C:\Windows\mssecsvr.exe
Filesize
3.6MB

MD5
7b95b65f19ea524a91aa51c5e31b9fe7

SHA1
238dcc422df18fa90787efd69ef2a35de53b8cfb

SHA256
6a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24

SHA512
34e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec

Download Submit
C:\Windows\mssecsvr.exe
Filesize
3.6MB

MD5
7b95b65f19ea524a91aa51c5e31b9fe7

SHA1
238dcc422df18fa90787efd69ef2a35de53b8cfb

SHA256
6a000b73cd7a5edf5fe93db5196cc102eeb25e9bf519aee996c93190e092bf24

SHA512
34e24204ab2aaf662f5a9168685ee8a9841a61fbebbc4c3a024633987823c0cf1c54121774ca5af9305d5366a5ab50d278c9eb520aa4fa10868bcd23e6d4beec

Download Submit
memory/4544-130-0x0000000000000000-mapping.dmp

Download
memory/4704-131-0x0000000000000000-mapping.dmp

Download