wannacry | 49226d9d4d6b7db5be0d155273e5e6546ec029b2afc1651b6478f13f5febf29e

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c36b1df21a113df6b722739559789d7a.dll
Size

5.0MB
MD5

c36b1df21a113df6b722739559789d7a
SHA1

559960bd1ccd2351761eae1362a57c9857562d71
SHA256

49226d9d4d6b7db5be0d155273e5e6546ec029b2afc1651b6478f13f5febf29e
SHA512

b8856ab6b2d5c85c21a9de474b4d112e9f9671196536ecfc7d83dd650aec7043b6c0afc0505bf44ea8509376328ead206c3c1eb9306a8e1218db22146f5716be

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3219) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

4300 mssecsvc.exe
2788 mssecsvc.exe
4268 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

pid	process
4300	mssecsvc.exe
2788	mssecsvc.exe
4268	tasksche.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2204 wrote to memory of 968	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 968	2204	rundll32.exe	rundll32.exe
PID 2204 wrote to memory of 968	2204	rundll32.exe	rundll32.exe
PID 968 wrote to memory of 4300	968	rundll32.exe	mssecsvc.exe
PID 968 wrote to memory of 4300	968	rundll32.exe	mssecsvc.exe
PID 968 wrote to memory of 4300	968	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c36b1df21a113df6b722739559789d7a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c36b1df21a113df6b722739559789d7a.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:968

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4300

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:4268

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
3.6MB

MD5
71947d8845c563f91b94f8d155ec2794

SHA1
e9c550c7c2b0df8989bbddb63abaf5cc642be245

SHA256
20ac1a6e3725dcb8d7e889bd3401725a6af076525ae25abe4914146c2bb39c74

SHA512
6d70e84242970a4b65427b2f1741096635f9f812964b22b5d0c55c1f91e681b9cedd2d8946a8ace4f550776a77ee101f3912d71d01d36224fd65a1de8b35bf6c

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
71947d8845c563f91b94f8d155ec2794

SHA1
e9c550c7c2b0df8989bbddb63abaf5cc642be245

SHA256
20ac1a6e3725dcb8d7e889bd3401725a6af076525ae25abe4914146c2bb39c74

SHA512
6d70e84242970a4b65427b2f1741096635f9f812964b22b5d0c55c1f91e681b9cedd2d8946a8ace4f550776a77ee101f3912d71d01d36224fd65a1de8b35bf6c

Download Submit
C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
71947d8845c563f91b94f8d155ec2794

SHA1
e9c550c7c2b0df8989bbddb63abaf5cc642be245

SHA256
20ac1a6e3725dcb8d7e889bd3401725a6af076525ae25abe4914146c2bb39c74

SHA512
6d70e84242970a4b65427b2f1741096635f9f812964b22b5d0c55c1f91e681b9cedd2d8946a8ace4f550776a77ee101f3912d71d01d36224fd65a1de8b35bf6c

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
a203a133174d3b4ebe3ee65dd2882af9

SHA1
b3def31fcb3629d202609de7af988ffbdcc8aea1

SHA256
2bc3f0f53335d039a76281e0c9a15c271f11e7ab86372b16bf1a08c0fb6726f0

SHA512
60ac2f833d38970f28d0db5166fa815cc5e56ee86c8dede3b2c6e43d021ae832d6ca85e6713041f278a6df00ad461daec629194af0de5d88c2befecaf1873350

Download Submit
memory/968-130-0x0000000000000000-mapping.dmp

Download
memory/4300-131-0x0000000000000000-mapping.dmp

Download