wannacry | 072d830282531cfe17214abc9dad67e3a1c71f5fab3f4d57398483e26b14359d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220718-en
resource tags

arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2022 00:44

Target

8a3d79d167ee3b3e4edcd795cc7a3d1f.dll
Size

5.0MB
MD5

8a3d79d167ee3b3e4edcd795cc7a3d1f
SHA1

69c8a6cf35ba8665326156d50c3ca301d72b6b62
SHA256

072d830282531cfe17214abc9dad67e3a1c71f5fab3f4d57398483e26b14359d
SHA512

52b6771c217a9c66d10d6e8e733198eca5ee641d23ddb67d73692567a53407d3bb971ce59f8bb9de426d2d638880e0227e260a5aac0cd64410135ab92b079ec5

Score

10^/10

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3176) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 2 IoCs

Processes:

mssecsvr.exemssecsvr.exe

pid process

4112 mssecsvr.exe
4316 mssecsvr.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvr.exe

description ioc process

File created C:\WINDOWS\mssecsvr.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvr.exe

pid	process
4112	mssecsvr.exe
4316	mssecsvr.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

mssecsvr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3536 wrote to memory of 3796	3536	rundll32.exe	rundll32.exe
PID 3536 wrote to memory of 3796	3536	rundll32.exe	rundll32.exe
PID 3536 wrote to memory of 3796	3536	rundll32.exe	rundll32.exe
PID 3796 wrote to memory of 4112	3796	rundll32.exe	mssecsvr.exe
PID 3796 wrote to memory of 4112	3796	rundll32.exe	mssecsvr.exe
PID 3796 wrote to memory of 4112	3796	rundll32.exe	mssecsvr.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8a3d79d167ee3b3e4edcd795cc7a3d1f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3536

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Scanning

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

C:\WINDOWS\mssecsvr.exe
Filesize
2.2MB

MD5
52f32ddde05bece6322c3c5ddc2a3e34

SHA1
3cc86a5b0d9b98c631173f099f8b66b3495f9003

SHA256
24ee88df255e6bb2902363aa3fdaedd6975d7fcf0a45407916bd332c03525932

SHA512
f1be0e42e90497b2569d3bb451cbac3f5feee75124840e7186f5465157533358fecd791e3fe527ae9107eb02735b14efc6daaa145c9999291e9710c9902bbecd

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
52f32ddde05bece6322c3c5ddc2a3e34

SHA1
3cc86a5b0d9b98c631173f099f8b66b3495f9003

SHA256
24ee88df255e6bb2902363aa3fdaedd6975d7fcf0a45407916bd332c03525932

SHA512
f1be0e42e90497b2569d3bb451cbac3f5feee75124840e7186f5465157533358fecd791e3fe527ae9107eb02735b14efc6daaa145c9999291e9710c9902bbecd

Download Submit
C:\Windows\mssecsvr.exe
Filesize
2.2MB

MD5
52f32ddde05bece6322c3c5ddc2a3e34

SHA1
3cc86a5b0d9b98c631173f099f8b66b3495f9003

SHA256
24ee88df255e6bb2902363aa3fdaedd6975d7fcf0a45407916bd332c03525932

SHA512
f1be0e42e90497b2569d3bb451cbac3f5feee75124840e7186f5465157533358fecd791e3fe527ae9107eb02735b14efc6daaa145c9999291e9710c9902bbecd

Download Submit
memory/3796-130-0x0000000000000000-mapping.dmp

Download
memory/4112-131-0x0000000000000000-mapping.dmp

Download