wannacry | 0bf994bea8d93e0307e56148b760e31d19afcc444e71ee7062025436aca9f0e9

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2022 18:41

Target

53bd36e4beb02198ccdde6c3a75663c2.dll
Size

5.0MB
MD5

53bd36e4beb02198ccdde6c3a75663c2
SHA1

c4c139c11405027b5a3f019f073d7b1c4082f905
SHA256

0bf994bea8d93e0307e56148b760e31d19afcc444e71ee7062025436aca9f0e9
SHA512

c02b67c609bc746311caefbfe4faf2332745bcdf1c0646bcc09d6153c1c01775e546a9a0b77e9cacb5dc39aaad505936bef9ad8a66bec7e22a6c92780f09b225

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3173) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

4544 mssecsvr.exe
3744 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

mssecsvr.exerundll32.exe

description ioc process

File created C:\WINDOWS\tasksche.exe mssecsvr.exe
File created C:\WINDOWS\mssecsvr.exe rundll32.exe

pid	process
4544	mssecsvr.exe
3744	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2632 wrote to memory of 2228	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2228	2632	rundll32.exe	rundll32.exe
PID 2632 wrote to memory of 2228	2632	rundll32.exe	rundll32.exe
PID 2228 wrote to memory of 4544	2228	rundll32.exe	mssecsvr.exe
PID 2228 wrote to memory of 4544	2228	rundll32.exe	mssecsvr.exe
PID 2228 wrote to memory of 4544	2228	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\53bd36e4beb02198ccdde6c3a75663c2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2632

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
63a98253cce2b5a2f596ac5142b309d3

SHA1
408dd5f4e660b225172b054a899bf0b374a152f1

SHA256
159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8

SHA512
7b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
63a98253cce2b5a2f596ac5142b309d3

SHA1
408dd5f4e660b225172b054a899bf0b374a152f1

SHA256
159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8

SHA512
7b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
63a98253cce2b5a2f596ac5142b309d3

SHA1
408dd5f4e660b225172b054a899bf0b374a152f1

SHA256
159916d87c50ea0a9237612fee58a73c9c60a3dc247f9757ae3ee91f6cfea6b8

SHA512
7b5ed3566385fc5b616d04fdf59723c1c79e242ec74d00b94f62ac81aaea476114acdb22d8ded7d94df88d6351ebadd3c9db3b9d772cc186c53a412025e178fc

Download Submit
memory/2228-130-0x0000000000000000-mapping.dmp

Download
memory/4544-131-0x0000000000000000-mapping.dmp

Download