wannacry | 4bf1fbbd994e86b9419d03ba4e930e2367837952ce603cbbed1d71750718c7c4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2022 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4bb472fa8b01b19ff8ab5a6e46125f9.dll
Size

5.0MB
MD5

b4bb472fa8b01b19ff8ab5a6e46125f9
SHA1

4cb651d5b16fd5b3cff4246b28679378c546aa20
SHA256

4bf1fbbd994e86b9419d03ba4e930e2367837952ce603cbbed1d71750718c7c4
SHA512

f40f9ed6d5e7e7d51f20b0867bffc8fef0813c8a2836e0880b4da345ddb00e9b097ad36f93394b59f1050950827ae849f0df2a4b9cec13fb77b15dfb52a56300

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3094) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4900 mssecsvc.exe
3636 mssecsvc.exe
1612 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4900	mssecsvc.exe
3636	mssecsvc.exe
1612	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3456 wrote to memory of 856	3456	rundll32.exe	rundll32.exe
PID 3456 wrote to memory of 856	3456	rundll32.exe	rundll32.exe
PID 3456 wrote to memory of 856	3456	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 4900	856	rundll32.exe	mssecsvc.exe
PID 856 wrote to memory of 4900	856	rundll32.exe	mssecsvc.exe
PID 856 wrote to memory of 4900	856	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4bb472fa8b01b19ff8ab5a6e46125f9.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3456

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\b4bb472fa8b01b19ff8ab5a6e46125f9.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:856

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4900

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:1612

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
7235f260ef68f0aa902cc6652566da79

SHA1
7e357ba751207b4a0d25a2cab05ae12b7b3f5045

SHA256
505ddf47559ed7a36aafcc493bb3001e7e7c7cfdc7e419b66e2bb9d805ca4808

SHA512
87db6eae21f32b3a48d01ff31cabc081587b9279629e78569d4f258b391da899640cf7f1af094ab151f65d593976228eec3dcb0d0556f1396bfbe8970022fbd2

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
7235f260ef68f0aa902cc6652566da79

SHA1
7e357ba751207b4a0d25a2cab05ae12b7b3f5045

SHA256
505ddf47559ed7a36aafcc493bb3001e7e7c7cfdc7e419b66e2bb9d805ca4808

SHA512
87db6eae21f32b3a48d01ff31cabc081587b9279629e78569d4f258b391da899640cf7f1af094ab151f65d593976228eec3dcb0d0556f1396bfbe8970022fbd2

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
7235f260ef68f0aa902cc6652566da79

SHA1
7e357ba751207b4a0d25a2cab05ae12b7b3f5045

SHA256
505ddf47559ed7a36aafcc493bb3001e7e7c7cfdc7e419b66e2bb9d805ca4808

SHA512
87db6eae21f32b3a48d01ff31cabc081587b9279629e78569d4f258b391da899640cf7f1af094ab151f65d593976228eec3dcb0d0556f1396bfbe8970022fbd2

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
ba8922fceaeed80297c3c391c8844b70

SHA1
2ef2a451fbcd42a938ae3d7bfad93dbc8ebe144f

SHA256
e3825cad783a302902576ca4cfae9fdfc8640a012876402c89e7dd22475cda91

SHA512
faee2d00623ab8a0db455a4b26074faed6da189220630f5260c331ed3d7f633f4cb253efaae25101c64ca836bea92b2de9e8c18614da483d4614b2e176d159bb

Download Submit
memory/856-130-0x0000000000000000-mapping.dmp

Download
memory/4900-131-0x0000000000000000-mapping.dmp

Download